Edit tour

Windows Analysis Report
PURCHASE ORDER.exe

Overview

General Information

Sample Name:	PURCHASE ORDER.exe
Analysis ID:	755961
MD5:	a55b4bb09398659d69f1b8b37541e621
SHA1:	975f7c38780d00ae497fcb6addf31f5ad8cdb090
SHA256:	ea45a2032eebe69d32b15d3ea505330eb00b5026107e8e123fb9fb9e2bf87496
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

PURCHASE ORDER.exe (PID: 5196 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: A55B4BB09398659D69F1B8B37541E621)

schtasks.exe (PID: 1948 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 4212 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

PAyWOGoRT.exe (PID: 1520 cmdline: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe MD5: A55B4BB09398659D69F1B8B37541E621)

schtasks.exe (PID: 1240 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5292 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

RegSvcs.exe (PID: 3836 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

yGbzOMp.exe (PID: 1604 cmdline: "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 5188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

yGbzOMp.exe (PID: 4184 cmdline: "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.orogenicgroup-bd.com", "Username": "amir.hossain@orogenicgroup-bd.com", "Password": "Hossain$3400"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31d44:$a13: get_DnsResolver 0x3043b:$a20: get_LastAccessed 0x32772:$a27: set_InternalServerPort 0x32aa7:$a30: set_GuidMasterKey 0x3054d:$a33: get_Clipboard 0x3055b:$a34: get_Keyboard 0x31928:$a35: get_ShiftKeyDown 0x31939:$a36: get_AltKeyDown 0x30568:$a37: get_Password 0x31083:$a38: get_PasswordHash 0x321a6:$a39: get_DefaultCredentials
00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x159e24:$a13: get_DnsResolver 0x190444:$a13: get_DnsResolver 0x15851b:$a20: get_LastAccessed 0x18eb3b:$a20: get_LastAccessed 0x15a852:$a27: set_InternalServerPort 0x190e72:$a27: set_InternalServerPort 0x15ab87:$a30: set_GuidMasterKey 0x1911a7:$a30: set_GuidMasterKey 0x15862d:$a33: get_Clipboard 0x18ec4d:$a33: get_Clipboard 0x15863b:$a34: get_Keyboard 0x18ec5b:$a34: get_Keyboard 0x159a08:$a35: get_ShiftKeyDown 0x190028:$a35: get_ShiftKeyDown 0x159a19:$a36: get_AltKeyDown 0x190039:$a36: get_AltKeyDown 0x158648:$a37: get_Password 0x18ec68:$a37: get_Password 0x159163:$a38: get_PasswordHash 0x18f783:$a38: get_PasswordHash 0x15a286:$a39: get_DefaultCredentials
Process Memory Space: PURCHASE ORDER.exe PID: 5196	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PURCHASE ORDER.exe PID: 5196	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PURCHASE ORDER.exe PID: 5196	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xa5f85:$a13: get_DnsResolver 0xa48dc:$a20: get_LastAccessed 0xa6962:$a27: set_InternalServerPort 0xa6bc9:$a30: set_GuidMasterKey 0xa49d7:$a33: get_Clipboard 0xa49e5:$a34: get_Keyboard 0xa5c05:$a35: get_ShiftKeyDown 0xa5c16:$a36: get_AltKeyDown 0xa49f2:$a37: get_Password 0xa5469:$a38: get_PasswordHash 0xa63bb:$a39: get_DefaultCredentials
Process Memory Space: RegSvcs.exe PID: 4212	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 4212	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4212	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xf835:$a13: get_DnsResolver 0xe18c:$a20: get_LastAccessed 0x10212:$a27: set_InternalServerPort 0x10479:$a30: set_GuidMasterKey 0xe287:$a33: get_Clipboard 0xe295:$a34: get_Keyboard 0xf4b5:$a35: get_ShiftKeyDown 0xf4c6:$a36: get_AltKeyDown 0xe2a2:$a37: get_Password 0xed19:$a38: get_PasswordHash 0xfc6b:$a39: get_DefaultCredentials
Process Memory Space: PAyWOGoRT.exe PID: 1520	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 3836	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 3836	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a83:$s10: logins 0x344fd:$s11: credential 0x3074d:$g1: get_Clipboard 0x3075b:$g2: get_Keyboard 0x30768:$g3: get_Password 0x31b18:$g4: get_CtrlKeyDown 0x31b28:$g5: get_ShiftKeyDown 0x31b39:$g6: get_AltKeyDown
0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c83:$s10: logins 0x326fd:$s11: credential 0x2e94d:$g1: get_Clipboard 0x2e95b:$g2: get_Keyboard 0x2e968:$g3: get_Password 0x2fd18:$g4: get_CtrlKeyDown 0x2fd28:$g5: get_ShiftKeyDown 0x2fd39:$g6: get_AltKeyDown
3.0.RegSvcs.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31f44:$a13: get_DnsResolver 0x3063b:$a20: get_LastAccessed 0x32972:$a27: set_InternalServerPort 0x32ca7:$a30: set_GuidMasterKey 0x3074d:$a33: get_Clipboard 0x3075b:$a34: get_Keyboard 0x31b28:$a35: get_ShiftKeyDown 0x31b39:$a36: get_AltKeyDown 0x30768:$a37: get_Password 0x31283:$a38: get_PasswordHash 0x323a6:$a39: get_DefaultCredentials
0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30144:$a13: get_DnsResolver 0x2e83b:$a20: get_LastAccessed 0x30b72:$a27: set_InternalServerPort 0x30ea7:$a30: set_GuidMasterKey 0x2e94d:$a33: get_Clipboard 0x2e95b:$a34: get_Keyboard 0x2fd28:$a35: get_ShiftKeyDown 0x2fd39:$a36: get_AltKeyDown 0x2e968:$a37: get_Password 0x2f483:$a38: get_PasswordHash 0x305a6:$a39: get_DefaultCredentials
0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a83:$s10: logins 0x6b0a3:$s10: logins 0x344fd:$s11: credential 0x6ab1d:$s11: credential 0x3074d:$g1: get_Clipboard 0x66d6d:$g1: get_Clipboard 0x3075b:$g2: get_Keyboard 0x66d7b:$g2: get_Keyboard 0x30768:$g3: get_Password 0x66d88:$g3: get_Password 0x31b18:$g4: get_CtrlKeyDown 0x68138:$g4: get_CtrlKeyDown 0x31b28:$g5: get_ShiftKeyDown 0x68148:$g5: get_ShiftKeyDown 0x31b39:$g6: get_AltKeyDown 0x68159:$g6: get_AltKeyDown
0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31f44:$a13: get_DnsResolver 0x68564:$a13: get_DnsResolver 0x3063b:$a20: get_LastAccessed 0x66c5b:$a20: get_LastAccessed 0x32972:$a27: set_InternalServerPort 0x68f92:$a27: set_InternalServerPort 0x32ca7:$a30: set_GuidMasterKey 0x692c7:$a30: set_GuidMasterKey 0x3074d:$a33: get_Clipboard 0x66d6d:$a33: get_Clipboard 0x3075b:$a34: get_Keyboard 0x66d7b:$a34: get_Keyboard 0x31b28:$a35: get_ShiftKeyDown 0x68148:$a35: get_ShiftKeyDown 0x31b39:$a36: get_AltKeyDown 0x68159:$a36: get_AltKeyDown 0x30768:$a37: get_Password 0x66d88:$a37: get_Password 0x31283:$a38: get_PasswordHash 0x678a3:$a38: get_PasswordHash 0x323a6:$a39: get_DefaultCredentials
Click to see the 7 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\PURCHASE ORDER.exe, ParentImage: C:\Users\user\Desktop\PURCHASE ORDER.exe, ParentProcessId: 5196, ParentProcessName: PURCHASE ORDER.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp, ProcessId: 1948, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PURCHASE ORDER.exe	ReversingLabs: Detection: 60%
Source: PURCHASE ORDER.exe	Virustotal: Detection: 47%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe

ReversingLabs: Detection: 60%

Machine Learning detection for sample

Source: PURCHASE ORDER.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe

Joe Sandbox ML: detected

Source: 3.0.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.orogenicgroup-bd.com", "Username": "amir.hossain@orogenicgroup-bd.com", "Password": "Hossain$3400"}

Source: PURCHASE ORDER.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: PURCHASE ORDER.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr
Source:	Binary string: RegSvcs.pdb source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr

Source: global traffic

TCP traffic: 192.168.2.4:49695 -> 119.148.27.3:587

Source: global traffic

TCP traffic: 192.168.2.4:49695 -> 119.148.27.3:587

Source: RegSvcs.exe, 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://JXqRNJ.com
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000003.00000002.423143006.0000000005DBC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.orogenicgroup-bd.com
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: PURCHASE ORDER.exe, 00000000.00000002.341153865.0000000003251000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574175039.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574144305.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://0boQaB1sN6dM.org
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: RegSvcs.exe, 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.orogenicgroup-bd.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PURCHASE ORDER.exe

.NET source code contains very large array initializations

Source: 3.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1A51FE34u002d102Bu002d4B81u002dB647u002d9B5BFE7FC3FBu007d/u00339A8F051u002d32C9u002d4CC9u002dBC08u002dBE27BEFD88F4.cs

Large array initialization: .cctor: array initializer size 10971

Source: PURCHASE ORDER.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01553D9D	0_2_01553D9D
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01551C40	0_2_01551C40
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01550EB0	0_2_01550EB0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_015518F0	0_2_015518F0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_015518E0	0_2_015518E0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01556508	0_2_01556508
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01551C31	0_2_01551C31
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01556F18	0_2_01556F18
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01553F9B	0_2_01553F9B
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01551ED8	0_2_01551ED8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01551EC9	0_2_01551EC9
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_01550EA0	0_2_01550EA0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_0160E2C8	0_2_0160E2C8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_0160E2D8	0_2_0160E2D8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_0160BFC4	0_2_0160BFC4
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_031C65B8	0_2_031C65B8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Code function: 0_2_031C65A9	0_2_031C65A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00DEE16B	3_2_00DEE16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00DEDA01	3_2_00DEDA01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D7F780	3_2_04D7F780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D7B520	3_2_04D7B520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_04D7FAC8	3_2_04D7FAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D30548	3_2_05D30548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D3C508	3_2_05D3C508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D32638	3_2_05D32638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D3CB40	3_2_05D3CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E6A5A4	3_2_05E6A5A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E6F910	3_2_05E6F910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E6CD19	3_2_05E6CD19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E6F4CF	3_2_05E6F4CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E60040	3_2_05E60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E65428	3_2_05E65428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E67E40	3_2_05E67E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E61F88	3_2_05E61F88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E885B8	3_2_05E885B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E81958	3_2_05E81958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E8A4C0	3_2_05E8A4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E8E770	3_2_05E8E770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E84E28	3_2_05E84E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E8D578	3_2_05E8D578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E8D518	3_2_05E8D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E873D0	3_2_05E873D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: String function: 05D36F60 appears 52 times

Source: PURCHASE ORDER.exe, 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.348745127.00000000078A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.343797180.0000000004468000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.343797180.0000000004468000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqyB5isNZ.exe8 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.346074250.00000000056D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCassa.dll< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.341153865.0000000003251000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe	Binary or memory string: OriginalFilenameqyB5isNZ.exe8 vs PURCHASE ORDER.exe

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

Source: PURCHASE ORDER.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PAyWOGoRT.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PURCHASE ORDER.exe	ReversingLabs: Detection: 60%
Source: PURCHASE ORDER.exe	Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

File read: C:\Users\user\Desktop\PURCHASE ORDER.exe

Jump to behavior

Source: PURCHASE ORDER.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

File created: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

File created: C:\Users\user\AppData\Local\Temp\tmpF89B.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/9@2/1

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.417165095.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.573889145.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PURCHASE ORDER.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Mutant created: \Sessions\1\BaseNamedObjects\nnVWvWgWBznoFzzQRNsbxIAQxt
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2040:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01

Source: 3.0.RegSvcs.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.RegSvcs.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PURCHASE ORDER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PURCHASE ORDER.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr
Source:	Binary string: RegSvcs.pdb source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D3F488 push esp; retf	3_2_05D3F5A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D3E11E push ecx; iretd	3_2_05D3E11F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05D3E123 push eax; iretd	3_2_05D3E124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05E63F21 push E904DDD4h; retf 0001h	3_2_05E63F26

Source: initial sample	Static PE information: section name: .text entropy: 7.897447602261709
Source: initial sample	Static PE information: section name: .text entropy: 7.897447602261709

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	File created: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PAyWOGoRT.exe PID: 1520, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PURCHASE ORDER.exe, 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PURCHASE ORDER.exe, 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 2168	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe TID: 6064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 2032	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 5168	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9777			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9736

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99717	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99607	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98923	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98800	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98199	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98076	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97825	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97483	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97042	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96715	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96608	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96044	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95826	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95716	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94933	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99186
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98795
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98465
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97186
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94436
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94327

Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 0000000C.00000002.577267438.0000000006000000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_05E86BF8 LdrInitializeThunk,

3_2_05E86BF8

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 80A008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 872008	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Users\user\Desktop\PURCHASE ORDER.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Queries volume information: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\PURCHASE ORDER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_05D354C0 GetUserNameW,

3_2_05D354C0

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Scheduled Task/Job	211 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	1 Account Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	11 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	Security Account Manager	114 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Software Packing	NTDS	311 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	211 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PURCHASE ORDER.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
PURCHASE ORDER.exe	48%	Virustotal		Browse
PURCHASE ORDER.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\PAyWOGoRT.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://0boQaB1sN6dM.org	0%	Avira URL Cloud	safe
http://mail.orogenicgroup-bd.com	0%	Avira URL Cloud	safe
http://JXqRNJ.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.orogenicgroup-bd.com	119.148.27.3	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.orogenicgroup-bd.com	RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	RegSvcs.exe, 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://JXqRNJ.com	RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PURCHASE ORDER.exe, 00000000.00000002.341153865.0000000003251000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://0boQaB1sN6dM.org	RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574175039.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574144305.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
119.148.27.3	mail.orogenicgroup-bd.com	Bangladesh		23923	AGNI-ASAgniSystemsLimitedBD	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	755961
Start date and time:	2022-11-29 11:23:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PURCHASE ORDER.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/9@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 145 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:24:07	API Interceptor	1x Sleep call for process: PURCHASE ORDER.exe modified
11:24:17	Task Scheduler	Run new task: PAyWOGoRT path: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
11:24:22	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
11:24:31	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
11:24:35	API Interceptor	447x Sleep call for process: RegSvcs.exe modified
11:24:36	API Interceptor	1x Sleep call for process: PAyWOGoRT.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
119.148.27.3	SWIFT REFERENCE.exe	Get hash	malicious	Browse
	PAYMENT COPY.exe	Get hash	malicious	Browse
	STATEMENT OF ACCOUNT OCT.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.orogenicgroup-bd.com	SWIFT REFERENCE.exe	Get hash	malicious	Browse	119.148.27.3
	PAYMENT COPY.exe	Get hash	malicious	Browse	119.148.27.3
	STATEMENT OF ACCOUNT OCT.exe	Get hash	malicious	Browse	119.148.27.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AGNI-ASAgniSystemsLimitedBD	SWIFT REFERENCE.exe	Get hash	malicious	Browse	119.148.27.3
	PAYMENT COPY.exe	Get hash	malicious	Browse	119.148.27.3
	STATEMENT OF ACCOUNT OCT.exe	Get hash	malicious	Browse	119.148.27.3
	gMDLARX9GI.elf	Get hash	malicious	Browse	119.148.55.237
	fVlHtUkKPO.elf	Get hash	malicious	Browse	119.148.55.224
	Hb8GD7pr7Z	Get hash	malicious	Browse	119.148.55.231
	GRse5xOyWS.dll	Get hash	malicious	Browse	182.252.103.223
	bkryx2aoJM	Get hash	malicious	Browse	182.252.103.235
	gBHjepWUd8	Get hash	malicious	Browse	119.148.55.248
	lDBBhuxCmi	Get hash	malicious	Browse	182.252.76.52
	yg5NmwTscp	Get hash	malicious	Browse	119.148.55.215
	ZYXESmYwdx	Get hash	malicious	Browse	119.148.24.124
	OpwoeuJ0eF	Get hash	malicious	Browse	119.148.55.211
	arm	Get hash	malicious	Browse	182.252.66.208
	BKyU0T5xcw	Get hash	malicious	Browse	119.148.55.225
	Xb1sM3W7BK	Get hash	malicious	Browse	119.148.55.215
	b3astmode.arm	Get hash	malicious	Browse	182.252.66.204
	qKxXZuMvtP	Get hash	malicious	Browse	182.252.66.208
	5whlj6Mewk	Get hash	malicious	Browse	119.148.55.250

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	monkey.scr.exe	Get hash	malicious	Browse
	Overdue_account letter.exe	Get hash	malicious	Browse
	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.8076.exe	Get hash	malicious	Browse
	8vP60HbFlryaXUJ.exe	Get hash	malicious	Browse
	Guia_6007241440032929258904227461816514046515369236897929361847432942837799.exe	Get hash	malicious	Browse
	Guia_6007241440032929258904227461816514046515369236897929361847432942837799.exe	Get hash	malicious	Browse
	Shipping documents.PDF.exe	Get hash	malicious	Browse
	SWIFT REFERENCE.exe	Get hash	malicious	Browse
	Bank TT copy.exe	Get hash	malicious	Browse
	Shipping documents and BL. PDF.exe	Get hash	malicious	Browse
	invoice.exe	Get hash	malicious	Browse
	mko.exe	Get hash	malicious	Browse
	PAYMENT COPY.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-gen.23719.26078.exe	Get hash	malicious	Browse
	TT COPY.exe	Get hash	malicious	Browse
	Draft.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.14630.22885.exe	Get hash	malicious	Browse
	82105269.exe	Get hash	malicious	Browse
	Bank letter.exe	Get hash	malicious	Browse
	STATEMENT OF ACCOUNT OCT.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAyWOGoRT.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASE ORDER.exe.log

Download File

Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yGbzOMp.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmp6AED.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1642
Entropy (8bit):	5.177923914853658
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGQBtn:cbhK79lNQR/rydbz9I3YODOLNdq31
MD5:	80E675E5B2A240D5A633F826B64E2CF7
SHA1:	A690D2C5FB99B392615E75E68CE86972910D28AE
SHA-256:	4F6FD6CEF34AAFE00144F440C2AE385364AB808F5B9FCEF4E7EB5105066B0302
SHA-512:	3DA27B4BBD5C37247809800B67C0EE0DB05272AE56674AF3CDEE6D95226A7C22E3341CB5200021559C6AAE9240AF3B6A5581333D7A92543D56DA679C32EFF8DD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpF89B.tmp

Download File

Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1642
Entropy (8bit):	5.177923914853658
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGQBtn:cbhK79lNQR/rydbz9I3YODOLNdq31
MD5:	80E675E5B2A240D5A633F826B64E2CF7
SHA1:	A690D2C5FB99B392615E75E68CE86972910D28AE
SHA-256:	4F6FD6CEF34AAFE00144F440C2AE385364AB808F5B9FCEF4E7EB5105066B0302
SHA-512:	3DA27B4BBD5C37247809800B67C0EE0DB05272AE56674AF3CDEE6D95226A7C22E3341CB5200021559C6AAE9240AF3B6A5581333D7A92543D56DA679C32EFF8DD
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\PAyWOGoRT.exe

Download File

Process:	C:\Users\user\Desktop\PURCHASE ORDER.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	600576
Entropy (8bit):	7.888370004294712
Encrypted:	false
SSDEEP:	12288:7gkzrbETClvHskFgFwIyXCD1vmAMDfJ0/IegnS1onhj6W4ytrRpMf:/76CVskFgqIyXFhS/ngSWhxROf
MD5:	A55B4BB09398659D69F1B8B37541E621
SHA1:	975F7C38780D00AE497FCB6ADDF31F5AD8CDB090
SHA-256:	EA45A2032EEBE69D32B15D3EA505330EB00B5026107E8E123FB9FB9E2BF87496
SHA-512:	A5EB89B7B07AD51B747BA5C003D50AE8AA53C11ADB23034DA977E8AB25373A81C3C7216CDA025C25A0D55F9CAB989F93794D2512FB16A8998DFA8D58C5210590
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.............................5... ...@....@.. ....................................@.................................x5..W....@..4....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`.......(..............@..B.................5......H............T......4........E..........................................z.(......}.....( ...o!...}......0...........{............3.....(.......................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.\|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......................n..}.....{....,..{....o......{....*.s".

C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45152
Entropy (8bit):	6.149629800481177
Encrypted:	false
SSDEEP:	768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
MD5:	2867A3817C9245F7CF518524DFD18F28
SHA1:	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
SHA-256:	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
SHA-512:	7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: monkey.scr.exe, Detection: malicious, Browse Filename: Overdue_account letter.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.8076.exe, Detection: malicious, Browse Filename: 8vP60HbFlryaXUJ.exe, Detection: malicious, Browse Filename: Guia_6007241440032929258904227461816514046515369236897929361847432942837799.exe, Detection: malicious, Browse Filename: Guia_6007241440032929258904227461816514046515369236897929361847432942837799.exe, Detection: malicious, Browse Filename: Shipping documents.PDF.exe, Detection: malicious, Browse Filename: SWIFT REFERENCE.exe, Detection: malicious, Browse Filename: Bank TT copy.exe, Detection: malicious, Browse Filename: Shipping documents and BL. PDF.exe, Detection: malicious, Browse Filename: invoice.exe, Detection: malicious, Browse Filename: mko.exe, Detection: malicious, Browse Filename: PAYMENT COPY.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-gen.23719.26078.exe, Detection: malicious, Browse Filename: TT COPY.exe, Detection: malicious, Browse Filename: Draft.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.14630.22885.exe, Detection: malicious, Browse Filename: 82105269.exe, Detection: malicious, Browse Filename: Bank letter.exe, Detection: malicious, Browse Filename: STATEMENT OF ACCOUNT OCT.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.44831826838854
Encrypted:	false
SSDEEP:	24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
MD5:	1AEB3A784552CFD2AEDEDC1D43A97A4F
SHA1:	804286AB9F8B3DE053222826A69A7CDA3492411A
SHA-256:	0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
SHA-512:	5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.888370004294712
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PURCHASE ORDER.exe
File size:	600576
MD5:	a55b4bb09398659d69f1b8b37541e621
SHA1:	975f7c38780d00ae497fcb6addf31f5ad8cdb090
SHA256:	ea45a2032eebe69d32b15d3ea505330eb00b5026107e8e123fb9fb9e2bf87496
SHA512:	a5eb89b7b07ad51b747ba5c003d50ae8aa53c11adb23034da977e8ab25373a81c3c7216cda025c25a0d55f9cab989f93794d2512fb16a8998dfa8d58c5210590
SSDEEP:	12288:7gkzrbETClvHskFgFwIyXCD1vmAMDfJ0/IegnS1onhj6W4ytrRpMf:/76CVskFgqIyXFhS/ngSWhxROf
TLSH:	98D4023C1B457F2BC27D88F595D24E017FF18D19A021EA1AACDE66D803C67781B90ED5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.............................5... ...@....@.. ....................................@................................

File Icon


Icon Hash:	0969696949097961

Static PE Info

General

Entrypoint:	0x4935d2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63841E09 [Mon Nov 28 02:33:45 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x93578	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x94000	0xf34	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x96000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x915d8	0x91600	False	0.8968941449914015	data	7.897447602261709	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x94000	0xf34	0x1000	False	0.674072265625	data	6.343221929180967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x96000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x94118	0xa75	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x94b90	0x14	data
RT_GROUP_ICON	0x94ba4	0x14	data
RT_VERSION	0x94bb8	0x37c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 11:24:36.287166119 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:36.589534998 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:36.589658976 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:38.225836039 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:38.226146936 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:38.523627043 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:38.523865938 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:38.826832056 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:38.889180899 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:39.213813066 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:39.213850975 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:39.213881016 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:39.213903904 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:39.213943005 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:39.213980913 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:39.217195988 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:39.264162064 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:39.562028885 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:39.623230934 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:39.920614004 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:39.944987059 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:40.242274046 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:40.251883984 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:40.587641954 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:40.821350098 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:40.822257996 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:41.119117975 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:41.119190931 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:41.119870901 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:41.424794912 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:41.425214052 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:41.724648952 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:41.726552963 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:41.730971098 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:41.731875896 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:41.731961966 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:42.029700041 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:42.035222054 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:42.035703897 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:42.035804033 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:42.120207071 CET	587	49695	119.148.27.3	192.168.2.4
Nov 29, 2022 11:24:42.164433956 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:24:57.036175013 CET	49695	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:15.563796043 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:15.861283064 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:15.861886024 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:17.602075100 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:17.602732897 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:17.901496887 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:17.902745962 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:18.200984001 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:18.215336084 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:18.529184103 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:18.529251099 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:18.529294968 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:18.529333115 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:18.529411077 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:18.529882908 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:18.531244040 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:18.541455984 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:18.841746092 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:18.886261940 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:18.943299055 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:19.239828110 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:19.242074013 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:19.538795948 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:19.540328979 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:19.875647068 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:19.899672031 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:19.900697947 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:20.196681023 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:20.196717978 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:20.197648048 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:20.502088070 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:20.502681017 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:20.798707008 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:20.803905010 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:20.804018974 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:20.804094076 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:20.804167986 CET	49696	587	192.168.2.4	119.148.27.3
Nov 29, 2022 11:25:21.100074053 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:21.100131035 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:21.101542950 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:21.140907049 CET	587	49696	119.148.27.3	192.168.2.4
Nov 29, 2022 11:25:21.183245897 CET	49696	587	192.168.2.4	119.148.27.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 11:24:36.029767036 CET	56572	53	192.168.2.4	8.8.8.8
Nov 29, 2022 11:24:36.203140020 CET	53	56572	8.8.8.8	192.168.2.4
Nov 29, 2022 11:25:15.366661072 CET	50911	53	192.168.2.4	8.8.8.8
Nov 29, 2022 11:25:15.530844927 CET	53	50911	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 11:24:36.029767036 CET	192.168.2.4	8.8.8.8	0x2672	Standard query (0)	mail.orogenicgroup-bd.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 11:25:15.366661072 CET	192.168.2.4	8.8.8.8	0x3968	Standard query (0)	mail.orogenicgroup-bd.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 11:24:36.203140020 CET	8.8.8.8	192.168.2.4	0x2672	No error (0)	mail.orogenicgroup-bd.com		119.148.27.3	A (IP address)	IN (0x0001)	false
Nov 29, 2022 11:25:15.530844927 CET	8.8.8.8	192.168.2.4	0x3968	No error (0)	mail.orogenicgroup-bd.com		119.148.27.3	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 29, 2022 11:24:38.225836039 CET	587	49695	119.148.27.3	192.168.2.4	220-panel2.agni.com ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 16:24:38 +0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 29, 2022 11:24:38.226146936 CET	49695	587	192.168.2.4	119.148.27.3	EHLO 549163
Nov 29, 2022 11:24:38.523627043 CET	587	49695	119.148.27.3	192.168.2.4	250-panel2.agni.com Hello 549163 [102.129.143.49] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-STARTTLS 250 HELP
Nov 29, 2022 11:24:38.523865938 CET	49695	587	192.168.2.4	119.148.27.3	STARTTLS
Nov 29, 2022 11:24:38.826832056 CET	587	49695	119.148.27.3	192.168.2.4	220 TLS go ahead
Nov 29, 2022 11:25:17.602075100 CET	587	49696	119.148.27.3	192.168.2.4	220-panel2.agni.com ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 16:25:17 +0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 29, 2022 11:25:17.602732897 CET	49696	587	192.168.2.4	119.148.27.3	EHLO 549163
Nov 29, 2022 11:25:17.901496887 CET	587	49696	119.148.27.3	192.168.2.4	250-panel2.agni.com Hello 549163 [102.129.143.49] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-STARTTLS 250 HELP
Nov 29, 2022 11:25:17.902745962 CET	49696	587	192.168.2.4	119.148.27.3	STARTTLS
Nov 29, 2022 11:25:18.200984001 CET	587	49696	119.148.27.3	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	11:23:57
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\PURCHASE ORDER.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PURCHASE ORDER.exe
Imagebase:	0xc10000
File size:	600576 bytes
MD5 hash:	A55B4BB09398659D69F1B8B37541E621
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	11:24:14
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp
Imagebase:	0x2f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	11:24:15
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	11:24:15
Start date:	29/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x610000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	11:24:17
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
Imagebase:	0xb40000
File size:	600576 bytes
MD5 hash:	A55B4BB09398659D69F1B8B37541E621
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	11:24:31
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Imagebase:	0x900000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	11:24:32
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	11:24:40
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Imagebase:	0x5c0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	11:24:41
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	11:24:43
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp
Imagebase:	0x2f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	11:24:43
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	11:24:44
Start date:	29/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x1b0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	12
Start time:	11:24:44
Start date:	29/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x640000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	11.5%
Total number of Nodes:	312
Total number of Limit Nodes:	22

Executed Functions

Function 031C65A9 Relevance: 38.5, Strings: 29, Instructions: 2298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

B, xrefs: 031C7633
, xrefs: 031C7D94
w, xrefs: 031C7BE8
, xrefs: 031C7BF2
P, xrefs: 031C6F08
n, xrefs: 031C6CF8
', xrefs: 031C7138
c, xrefs: 031C7F28
x, xrefs: 031C7A9A
L, xrefs: 031C7231
p, xrefs: 031C7328
C, xrefs: 031C6973
*, xrefs: 031C75B7
V, xrefs: 031C6D73
, xrefs: 031C80D1
T, xrefs: 031C7AA4
', xrefs: 031C690C
8, xrefs: 031C6BA6
', xrefs: 031C6E92
U, xrefs: 031C77FB
p, xrefs: 031C6BAD
, xrefs: 031C7F32
J, xrefs: 031C6A5E
N, xrefs: 031C7781
y, xrefs: 031C83F2
X, xrefs: 031C74CD
K, xrefs: 031C7D8A
[, xrefs: 031C80C7
>, xrefs: 031C708D

Memory Dump Source

Source File: 00000000.00000002.340847239.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31c0000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID: $ $ $ $'$'$'$*$8$>$B$C$J$K$L$N$P$T$U$V$X$[$c$n$p$p$w$x$y
API String ID: 0-2341653528
Opcode ID: 132c604ff488d0063bb9373ece0af6126a85171e47d9c7f36a58159aeb45cc5c
Instruction ID: a394dccf6d71f67d30b6a9e83f015e7ce8c0bc6e8696e99796d17fcea82c9b67
Opcode Fuzzy Hash: 132c604ff488d0063bb9373ece0af6126a85171e47d9c7f36a58159aeb45cc5c
Instruction Fuzzy Hash: DA33F034A606158FCB54EF38C858AACB7F6AF89701F1541E9E10AEB361DB71AD81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 031C65B8 Relevance: 38.5, Strings: 29, Instructions: 2292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

B, xrefs: 031C7633
, xrefs: 031C7D94
w, xrefs: 031C7BE8
, xrefs: 031C7BF2
P, xrefs: 031C6F08
n, xrefs: 031C6CF8
', xrefs: 031C7138
c, xrefs: 031C7F28
x, xrefs: 031C7A9A
L, xrefs: 031C7231
p, xrefs: 031C7328
C, xrefs: 031C6973
*, xrefs: 031C75B7
V, xrefs: 031C6D73
, xrefs: 031C80D1
T, xrefs: 031C7AA4
', xrefs: 031C690C
8, xrefs: 031C6BA6
', xrefs: 031C6E92
U, xrefs: 031C77FB
p, xrefs: 031C6BAD
, xrefs: 031C7F32
J, xrefs: 031C6A5E
N, xrefs: 031C7781
y, xrefs: 031C83F2
X, xrefs: 031C74CD
K, xrefs: 031C7D8A
[, xrefs: 031C80C7
>, xrefs: 031C708D

Memory Dump Source

Source File: 00000000.00000002.340847239.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31c0000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID: $ $ $ $'$'$'$*$8$>$B$C$J$K$L$N$P$T$U$V$X$[$c$n$p$p$w$x$y
API String ID: 0-2341653528
Opcode ID: 87ad27cf744e0bc8384e821dfac67ded3f8393986a9e05e6f82fbfc8a4cecf3d
Instruction ID: 3206606d7d6c18487fa6ae43e7e7e893cf9528e7486f04680af11b65783e18f5
Opcode Fuzzy Hash: 87ad27cf744e0bc8384e821dfac67ded3f8393986a9e05e6f82fbfc8a4cecf3d
Instruction Fuzzy Hash: 3F33F034A606158FCB54EF38C858AACB7F6AF89701F1541E9E10AEB361DB71AD81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01553D9D Relevance: 2.8, Strings: 2, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xol, xrefs: 01553D27
?^y+, xrefs: 01554098

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID: ?^y+$xol
API String ID: 0-3609532666
Opcode ID: 27a63b2312e1588317d773aca8e2e8d8122e7f332a0f85786a8b1a02d62ea382
Instruction ID: 65e6d8e87f56e1f7ec8d864aa15f901397dcf6715ce82490d4ea7bc5b49c113e
Opcode Fuzzy Hash: 27a63b2312e1588317d773aca8e2e8d8122e7f332a0f85786a8b1a02d62ea382
Instruction Fuzzy Hash: 4DC16A74E19209DFCB84CFE5E5906ADFBF2BF89380F24942AD819AB254D7389945CF10

Uniqueness

Uniqueness Score: -1.00%

Function 01550EA0 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

L)/4, xrefs: 0155107A

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID: L)/4
API String ID: 0-4105341230
Opcode ID: 938ee4f496b69cd7cebc5542d2fc4498e25115b7b28bc55cd88f39097ecafd6a
Instruction ID: 4793a8a511fc89ab26bc432d769a214f59f0a76576c61f8d2aac4f6e9645f2c4
Opcode Fuzzy Hash: 938ee4f496b69cd7cebc5542d2fc4498e25115b7b28bc55cd88f39097ecafd6a
Instruction Fuzzy Hash: D7710474E10209DFCB14DFA5D9955AEBBB2FF89301F20842AE815AB394DB746902CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01550EB0 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

L)/4, xrefs: 0155107A

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID: L)/4
API String ID: 0-4105341230
Opcode ID: 8175857e184fd451cb9fdfb11783725fa708a1dd7ea0cf541a5568a418453e88
Instruction ID: e77e54404f501e8908af3a1d4847abf952597e5f72e378e6777dee04c177c55c
Opcode Fuzzy Hash: 8175857e184fd451cb9fdfb11783725fa708a1dd7ea0cf541a5568a418453e88
Instruction Fuzzy Hash: 46710474E11209DFCB44DFE5D9955AEBBB2FF89301F20842AE815AB354DB746902CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01553F9B Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

?^y+, xrefs: 01554098

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID: ?^y+
API String ID: 0-3178172334
Opcode ID: e2273a9a043d4382b907d4e69dad7cabc8fe159a2317bb43f779f9e0701f301d
Instruction ID: a34e3582c2c813c5b02f8dc3f527142db39052a57faeb69550ad2506a8139f38
Opcode Fuzzy Hash: e2273a9a043d4382b907d4e69dad7cabc8fe159a2317bb43f779f9e0701f301d
Instruction Fuzzy Hash: A9412C74E15249DFCB84CFE4D59119DFBF2BF89350F20981AD81ABF258D33899858B14

Uniqueness

Uniqueness Score: -1.00%

Function 01551C40 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fdb0873c904112cbeb741b7e0233bbebf3c2ff6a7061a51d7d0b71ee58889d
Instruction ID: 627060639739eb4bd2d50840cc9a95e0b3aa37a9defac583efa09c79bf006fb0
Opcode Fuzzy Hash: 49fdb0873c904112cbeb741b7e0233bbebf3c2ff6a7061a51d7d0b71ee58889d
Instruction Fuzzy Hash: 7B614870E06618DFDB44CFA9D6947EDBFF2BB89350F24942AE406BB218D73499418B14

Uniqueness

Uniqueness Score: -1.00%

Function 01551C31 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4b41c2c11bdedcbb30d79b5ed789b852834429b8739c31a451a0b4ac172030
Instruction ID: 353ceee0fc5b3367fb3a8175da06bad1b771235184dd398af923ca5ae45d7465
Opcode Fuzzy Hash: 6c4b41c2c11bdedcbb30d79b5ed789b852834429b8739c31a451a0b4ac172030
Instruction Fuzzy Hash: 36515974E066189FCB44CFA9D5D47EDBFF2BB89350F24942AE806BB218D73499418B14

Uniqueness

Uniqueness Score: -1.00%

Function 0160B528 Relevance: 6.1, APIs: 4, Instructions: 123
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0160B590
GetCurrentThread.KERNEL32 ref: 0160B5CD
GetCurrentProcess.KERNEL32 ref: 0160B60A
GetCurrentThreadId.KERNEL32 ref: 0160B663

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ce6a4540afe578496cb63e8ad3e1ba46f069a4e45030afa926894bc97905b955
Instruction ID: e5118a26287aa9f2267bc6d67798aac75287d4b9542ef8b63fd5857bf827d11a
Opcode Fuzzy Hash: ce6a4540afe578496cb63e8ad3e1ba46f069a4e45030afa926894bc97905b955
Instruction Fuzzy Hash: 5D5156B49042488FEB14CFA9D948BEEBBF0BF88314F248559E019A7390C7745944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0160B530 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0160B590
GetCurrentThread.KERNEL32 ref: 0160B5CD
GetCurrentProcess.KERNEL32 ref: 0160B60A
GetCurrentThreadId.KERNEL32 ref: 0160B663

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 052790db7be31c41f77f5c8b42036eb6dfc8aa0b59f4a4edb429cca19e02a792
Instruction ID: e8cdde72fa23debc94976a65fc37af001509a9cc992e82382b28eeacaa8b51f4
Opcode Fuzzy Hash: 052790db7be31c41f77f5c8b42036eb6dfc8aa0b59f4a4edb429cca19e02a792
Instruction Fuzzy Hash: 4D5156B49042488FEB18CFA9D948B9EBBF0EF48314F248559E419A7390C774A844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01609148 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f335222c4d7913be41756fdc32a22a6d8fe503ffc0df4bbe7cd775102a17ff9c
Instruction ID: 2de766e7a2b1167b1dfe6a08ff0db211f0912f054b62f1a8372e51b7b949459f
Opcode Fuzzy Hash: f335222c4d7913be41756fdc32a22a6d8fe503ffc0df4bbe7cd775102a17ff9c
Instruction Fuzzy Hash: BC711470A10B058FDB29DF29D44475BBBF2BF88304F00892DD48ADBA91D775E8458F91

Uniqueness

Uniqueness Score: -1.00%

Function 015533E5 Relevance: 1.6, APIs: 1, Instructions: 146
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 01553543

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 36390587f224875eb4cb0fe4dd5a73f0c67c9fd4c2e92ce6e85534e961a366ca
Instruction ID: 00790816d2a3edeb37c045d8843b824e5a76550a6361f94b64e7e3ba57b2da60
Opcode Fuzzy Hash: 36390587f224875eb4cb0fe4dd5a73f0c67c9fd4c2e92ce6e85534e961a366ca
Instruction Fuzzy Hash: 44511871905319DFDB60CF99C884BDDBBB1BF88304F15849AE90CA7250DB759A88CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015533F0 Relevance: 1.6, APIs: 1, Instructions: 143
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 01553543

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1e930aa0fa88ba01475cc26d4ef526b5fca859ff0f6e4f60ae9a4c77965ddc14
Instruction ID: 48568bb0d49da3e785e83ab20f527ab4ddc4ab8113f0ae3443bb88f9e91143f0
Opcode Fuzzy Hash: 1e930aa0fa88ba01475cc26d4ef526b5fca859ff0f6e4f60ae9a4c77965ddc14
Instruction Fuzzy Hash: A2511871905318DFDB60CF99C884BDDBBB1BF88304F15849AE90CA7250DB759A88CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160FA4D Relevance: 1.6, APIs: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0160FB6A

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2f079bd2112ddae014940ead51f03c930d756970bfc525363356e096b3137b28
Instruction ID: cb42d1292f328cbd2d4ed4feabe5d59f2df775d11d4293a7e6ca8ab5830fb4cf
Opcode Fuzzy Hash: 2f079bd2112ddae014940ead51f03c930d756970bfc525363356e096b3137b28
Instruction Fuzzy Hash: 4451B2B1D00309DFDF15CFA9C884ADEBBB5BF88314F24856AE819AB250D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0160FA58 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0160FB6A

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 53b7997d428145afb387ee357d03f7aeb8d8907034bc6ca4c5e45f7c4cdfba57
Instruction ID: bd6223c592d5dc78158bed1f87746328377db1feeccd34db456cc1c73a7f53f0
Opcode Fuzzy Hash: 53b7997d428145afb387ee357d03f7aeb8d8907034bc6ca4c5e45f7c4cdfba57
Instruction Fuzzy Hash: E841AFB1D00309DFDB15CF9AC884ADEBBB5BF88314F24852AE819AB250D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031C22F0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 031C23B1

Memory Dump Source

Source File: 00000000.00000002.340847239.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_31c0000_PURCHASE ORDER.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b54defac7402253daee71326ef5ed8f95cdf7dae5753b6a075757914f3175f15
Instruction ID: 3c27f8eede5f6343167aec9453a9a2d0c6d127ffead48b29c5002980e9c2ed8d
Opcode Fuzzy Hash: b54defac7402253daee71326ef5ed8f95cdf7dae5753b6a075757914f3175f15
Instruction Fuzzy Hash: 114117B4914345CFDB14CF99C848AAABBF5FB9C314F15895DD419AB321D374A841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0160B750 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0160B7DF

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 78c2006b2ad4f71bcb0816007cbfabcbb6c1fd2900e3c65cd1a5b90df27cc2e5
Instruction ID: 014623bb29fe662184f858d56ed6fae5eb0d090bf4a6a0a6f680a25ff522506c
Opcode Fuzzy Hash: 78c2006b2ad4f71bcb0816007cbfabcbb6c1fd2900e3c65cd1a5b90df27cc2e5
Instruction Fuzzy Hash: D121F2B59012089FDB10CFA9D884AEEBBF4EF48324F14851AE954A3350D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01553990 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01553A25

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f2eb587e4269e079124fddca3d9c981cb93770ad3ca94fa8bc5ea57eed7baa6f
Instruction ID: 4b2160f20135f296cc133b775da40ca1d015cbcb66378618fcdb318ed12de864
Opcode Fuzzy Hash: f2eb587e4269e079124fddca3d9c981cb93770ad3ca94fa8bc5ea57eed7baa6f
Instruction Fuzzy Hash: 232103B5900259DFDB50CF9AD985BDEBBF4FB48354F00852AE958A7240D378A940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01553998 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01553A25

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4827713454d5ea8b751b9edf94313620d5ae6f1d6ea938497a59037f427b27dd
Instruction ID: eef7a2066b665433d29d5717a85cd12ad232e5fc79aa1d1debed80e2959f381f
Opcode Fuzzy Hash: 4827713454d5ea8b751b9edf94313620d5ae6f1d6ea938497a59037f427b27dd
Instruction Fuzzy Hash: E821E4B1900259DFDB50CF9AD885BDEBBF4FB48314F00852AE958A7240D778A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160B758 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0160B7DF

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 52807b0b9b4a6e1371c2fcf1062bd1cf78750bfbd1e19ce06c9d61089a823270
Instruction ID: 6ecacb087037ffb3265c25fef73dd8607d9eebbb749c91942b19d253f1fcfa49
Opcode Fuzzy Hash: 52807b0b9b4a6e1371c2fcf1062bd1cf78750bfbd1e19ce06c9d61089a823270
Instruction Fuzzy Hash: 0521F5B5D00209DFDB10CF9AD884AEEBBF4FB48324F14801AE914A3350D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01553819 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0155389F

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7d5c65b2b1f152977943c9e1da710f899e2d9fc65a4c9d3963951dac9ab8a079
Instruction ID: 3b7b1ddc235786d022f603a7d21488ff99f299ec8bc47c654b002eb4b82ca3ad
Opcode Fuzzy Hash: 7d5c65b2b1f152977943c9e1da710f899e2d9fc65a4c9d3963951dac9ab8a079
Instruction Fuzzy Hash: 732102B6D01219DFDB10CF9AC984BDEBBF4FB48320F04842AE958A7240D378A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01553820 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0155389F

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7ad08e7f84c24f3c1c5bc93f1984b867f1097f2facaf3a219a2d41a99b88eb1d
Instruction ID: d8e182ee71f41df0a47eea29a38e9a3fdf7b1a467a5ba78b59965afaaef85227
Opcode Fuzzy Hash: 7ad08e7f84c24f3c1c5bc93f1984b867f1097f2facaf3a219a2d41a99b88eb1d
Instruction Fuzzy Hash: A621E2B5905259DFDB10CF9AD884BDEBBF4FB48320F14842AE958A7250D378A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01553759 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 015537D7

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 7cf9a872b3e35389ca86cbbb742f5a134973dadb884d921a5f9fdd5e9cf7dd15
Instruction ID: c2b40f1e3550074ba2db04aac53ab325c7d3a839f486f0b8b5d0cd4fe342546b
Opcode Fuzzy Hash: 7cf9a872b3e35389ca86cbbb742f5a134973dadb884d921a5f9fdd5e9cf7dd15
Instruction Fuzzy Hash: B42133B5D102199FDB40CF9AC9857EEFBF4BB48224F05812AD818B7740D378AA448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 01553760 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 015537D7

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: c511ca6b1a39439f1bfbc4eb5135bc3d6d0c0d5b8bea38947feed66b87949607
Instruction ID: 4bb65966045292a0c718b81c8d0b7217cb3d57e5bb9183afe7a32f9c61b95775
Opcode Fuzzy Hash: c511ca6b1a39439f1bfbc4eb5135bc3d6d0c0d5b8bea38947feed66b87949607
Instruction Fuzzy Hash: 832106B1D142199FDB50CF9AC985BEEFBF4BB48324F44812AD818B7740D778A9448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 016099A8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 01609A1A

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8e6a76caa5772f867d45c07d6dd3688ac5e2e9607c27f836a431d0253e6fc226
Instruction ID: f5241e7ad7745d0eda9a0ce1f59af255b2de8cf7d4ee8413aadb5f869ad97df0
Opcode Fuzzy Hash: 8e6a76caa5772f867d45c07d6dd3688ac5e2e9607c27f836a431d0253e6fc226
Instruction Fuzzy Hash: E92138B18042498FDB10CF9AC884BDEFBF5EB88314F14811ED419A7600C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016099B0 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 01609A1A

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c646e78d5b2e08cdc468161f1f797ad1bb3233dafae1555bfc79e48241c7354
Instruction ID: 53b8745916206b35b35ddaaf6d195ad8f864e22937256cf5242b4d5f30207e3d
Opcode Fuzzy Hash: 9c646e78d5b2e08cdc468161f1f797ad1bb3233dafae1555bfc79e48241c7354
Instruction Fuzzy Hash: 561123B6C042498FDB14CF9AC848BDEFBF5AB88324F04842AE919A7340C374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01606C34 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0160915B), ref: 0160938E

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b99b24f903009702b5ebf0f0bcacc6f02237ad3a9315cf2dae03f988243cf295
Instruction ID: 70949292b2124d7b1a2e43d4ce20442c2a0687a1577a84e57d0fb86894017d1f
Opcode Fuzzy Hash: b99b24f903009702b5ebf0f0bcacc6f02237ad3a9315cf2dae03f988243cf295
Instruction Fuzzy Hash: 3511E2B58042498BDB18CF9AD848B9FFBF5EB88324F14841AD419A7240C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160FC99 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0160FCFD

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 69b5dcb2e4ed609473a7a1e2221ac7b33958a27fa3f094b2f3f4b64639df73cf
Instruction ID: 7f1202b404b4512a6ddbe344f4111bf397f4427ee831b19c6409d17fe261e2b6
Opcode Fuzzy Hash: 69b5dcb2e4ed609473a7a1e2221ac7b33958a27fa3f094b2f3f4b64639df73cf
Instruction Fuzzy Hash: 451158B5804248CFDB20CF99D888BEFBBF4EB88324F108559D854A7340C374A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015538E8 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0155395B

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ac19050d1876f0cfacd62af1cf1edad7ab6ca00d7f77f40ac3b11e345afbc8e0
Instruction ID: bfe72f4afa3f84c2d461525326153ff4b4671c2ee70aac9eaec297b881888a74
Opcode Fuzzy Hash: ac19050d1876f0cfacd62af1cf1edad7ab6ca00d7f77f40ac3b11e345afbc8e0
Instruction Fuzzy Hash: 9F1113B6804259DFDB10CF99C988BDEBBF4FB48324F14841AE928A7650C375A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015538F0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0155395B

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4198e5e448a9e258f18c8e8073f630b2ab4b44d4021884c7195e809c67d9346b
Instruction ID: a9ab385ea39741ca85d87b77a854b195d01692658261cc699dde17d16d56ff43
Opcode Fuzzy Hash: 4198e5e448a9e258f18c8e8073f630b2ab4b44d4021884c7195e809c67d9346b
Instruction Fuzzy Hash: 1B11F5B5904249DFDB10CF9AD888BDEBFF4FB88324F14841AE969A7250C375A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015544A0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 01554505

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 10de37fd41a2409dbfc97b32240890a639fa4a5d7276a60a49426045f5fb1039
Instruction ID: ce4b897fba5ff951e680d3d4b6cf0997e8a2a0b1ef970f3c29eb9dea3ddb9ab0
Opcode Fuzzy Hash: 10de37fd41a2409dbfc97b32240890a639fa4a5d7276a60a49426045f5fb1039
Instruction Fuzzy Hash: 5111F8B5800249CFDB10DF99C989BEEBBF4FB48324F14841AD954A7640E374A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160FCA0 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0160FCFD

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4289ef16d8ef52e8d1ee3fd26fe14705136bf219f5d911514105ec23c2654c69
Instruction ID: 2d40a0b8fd969c7591d2c202bc0c2cd1b63175bbb7bff1425d986abe4372c684
Opcode Fuzzy Hash: 4289ef16d8ef52e8d1ee3fd26fe14705136bf219f5d911514105ec23c2654c69
Instruction Fuzzy Hash: 4C1103B58002499FDB20CF99D888BDFBBF8EB48324F10851AD914A7340C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01553B48 Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 01553BAF

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: faa8685abf2eb4fea2761394ca28b40999de5815b0d373423e5e538c29139716
Instruction ID: d735ba4ee7f41ea8ddebe4682b1d580758caea8e9f21dab86ea9418ef18418d6
Opcode Fuzzy Hash: faa8685abf2eb4fea2761394ca28b40999de5815b0d373423e5e538c29139716
Instruction Fuzzy Hash: BA1100B58042098FDB60CF9AD989BDEBBF4BB48324F14881AD958A7240D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015544A8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 01554505

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2021eacf1992fe9c1951f0b2a2445e3b3e98a49884c66337a4046ceb3ded0eb3
Instruction ID: 33b73e22d24df30d39d8d897a15675d40105efddc04e1c182ae866b7e7624df0
Opcode Fuzzy Hash: 2021eacf1992fe9c1951f0b2a2445e3b3e98a49884c66337a4046ceb3ded0eb3
Instruction Fuzzy Hash: 0911E5B5804349DFDB10CF99D888BDEBBF8FB48324F14841AD958A7600D374A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01553B50 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 01553BAF

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0e47cf2592a6ad37196582125295fdf2e0ce7d721b973cb472ab238239565b0d
Instruction ID: a6a0232ce73c77babec135bf8f75809d67cedc2b1e68afbaf572b81789a64c75
Opcode Fuzzy Hash: 0e47cf2592a6ad37196582125295fdf2e0ce7d721b973cb472ab238239565b0d
Instruction Fuzzy Hash: 781112B18042498FDB60CF9AD888BDEBBF4FB48324F10841AD958A7240C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0123D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339155852.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7afd81be35e191ca0a199127bb20ab81161ced476aed6431e7d29d9647407b
Instruction ID: 204a43b1dfc3401d92e48054ab6438971458fabe9e924e4258ff590cc940ee70
Opcode Fuzzy Hash: ae7afd81be35e191ca0a199127bb20ab81161ced476aed6431e7d29d9647407b
Instruction Fuzzy Hash: 632148F1518245DFDB01CF88E8C0B26BF65FBC8328F608568EA094B247C336D805C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0124D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339187507.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_124d000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efaf7d87cbad3a65b08307d8d356079211858e663f7b75d51ce50de49119ef8
Instruction ID: 8c7d83c68e22fe0ed062f71888bc8a5fa315ac7d93f57731fc2b4939c2bf2a9c
Opcode Fuzzy Hash: 0efaf7d87cbad3a65b08307d8d356079211858e663f7b75d51ce50de49119ef8
Instruction Fuzzy Hash: D1216E71518204DFDB09CF94C9C0B25BBA1FB98724F20C96DE9094B343C376D806CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0124D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339187507.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_124d000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e840db0f9b03982363ed3b6bc53828f8cedfef7440286270398e11b6e1a59480
Instruction ID: 8faf9989e3fbaf88afa7a8ade62e9f5308ff081fdffc2dbacc41ee05a43c2437
Opcode Fuzzy Hash: e840db0f9b03982363ed3b6bc53828f8cedfef7440286270398e11b6e1a59480
Instruction Fuzzy Hash: 83213771518248DFDB19CF94D8C4B26BB61FB98754F20C96DD9094B346C377D807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0124D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339187507.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_124d000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2be6af8e78911ef4f05817b2aa34286044ebf7da615301eec9dc59f7f855057
Instruction ID: 26848af3f2a14628d6fb87b21c529f52d5579a5c65f6d033adadb997ac86aa38
Opcode Fuzzy Hash: d2be6af8e78911ef4f05817b2aa34286044ebf7da615301eec9dc59f7f855057
Instruction Fuzzy Hash: 46218E754083849FDB06CF64D994B11BF71EB46314F28C5EAD9498B2A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0123D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339155852.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cb3e44370515572fb733351235636ff71e6e31c7d1222fc57b3ac88bc4a795
Instruction ID: f2e1afa7d9a3ad1eec3eb180f9c6654fa5da9741782c85716978f3772be350b0
Opcode Fuzzy Hash: f3cb3e44370515572fb733351235636ff71e6e31c7d1222fc57b3ac88bc4a795
Instruction Fuzzy Hash: A111E1B2804284CFDF12CF48D9C4B16BF72FB84324F2486A9D9050B257C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0124D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339187507.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_124d000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363af4797271886f9a9a785279a90f4a175c74c994b233d3b912b101d7110f26
Instruction ID: d2379380a12aa4d1ba83dde6971012cbf818b647821076f8e327c71e9111d67e
Opcode Fuzzy Hash: 363af4797271886f9a9a785279a90f4a175c74c994b233d3b912b101d7110f26
Instruction Fuzzy Hash: 5211BB75904284DFDB06CF54C5C4B15BBB1FB84224F28C6A9D9494B657C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0123D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339155852.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96d1cee188900ba73ffa6616c9bc8564556cad23ad9a86373bdfb8eec162e93
Instruction ID: ce9f55fa0d5523eebf2c3ff65b9cecb4a2cdf9fba37df9ff7c3ae40af7ec5df4
Opcode Fuzzy Hash: b96d1cee188900ba73ffa6616c9bc8564556cad23ad9a86373bdfb8eec162e93
Instruction Fuzzy Hash: 2301F7B141C3C89AEB164E6ACC84B66BB98EF85268F48851AEF084B246C3789440C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0123D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339155852.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b822a4d238980843d44ccf4e9a8dcce2874150234a954bdcd619f19fedf20506
Instruction ID: a01fc582c3e3d40170146051e776d6fd7af785340e52f68911ce943172e10128
Opcode Fuzzy Hash: b822a4d238980843d44ccf4e9a8dcce2874150234a954bdcd619f19fedf20506
Instruction Fuzzy Hash: DEF062714082849AFB158E5ACCC8B62FF98EB81674F18C45AEE085B286C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01556F18 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69cddd0c72bd16729585fec1503ab5d39d8b84709daf1667762d84a1adb0dfb1
Instruction ID: 3a41f19a4d09e23768f37578df6d5bcbf279c0bfd8a3b1dd00f850e0d418cad6
Opcode Fuzzy Hash: 69cddd0c72bd16729585fec1503ab5d39d8b84709daf1667762d84a1adb0dfb1
Instruction Fuzzy Hash: C5D19A70B006068FEB6ADB79C86076FB7FBBF88200F54446ED9468B291DB35E901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0160E2D8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15552ccbd2484b6630cb396b7b0cb658a2498cb353d0cd7d5c96e75f669b233
Instruction ID: c22f419776b7f9ee30960223eb80ee4e4dbf9d9422f35ff255d431af0bc41f39
Opcode Fuzzy Hash: d15552ccbd2484b6630cb396b7b0cb658a2498cb353d0cd7d5c96e75f669b233
Instruction Fuzzy Hash: 3A12D8F15117468BE732EF65E89A1D93B78F745328F90820CD2616FAD8D7B4124ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 01556508 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfb31d49af16133645d987a9bb90fef0d3c3c66551ffb6939de102704659f8b
Instruction ID: d11329d45632ccea15a45c50995986b67ebcd848f9f134828065b97e361f49cc
Opcode Fuzzy Hash: 4cfb31d49af16133645d987a9bb90fef0d3c3c66551ffb6939de102704659f8b
Instruction Fuzzy Hash: 2BD1C274A006458FDB54DF69C598AADBBF1BF8C304F6580A9E909AB361DB31AD40CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0160BFC4 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9dee816dc4e3367b70f7060774e8df38be7a5e01992244fa55c01e7afd5932d
Instruction ID: 4a650ec11f5521d390b458f13db3b6c106a5a721085307c1490b13fe403fdb1c
Opcode Fuzzy Hash: d9dee816dc4e3367b70f7060774e8df38be7a5e01992244fa55c01e7afd5932d
Instruction Fuzzy Hash: B0A17F36E0021ACFCF1ADFF5C8445DEBBB2FF85300B15866AE905AB265DB35A945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0160E2C8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339982500.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2845e875b7348c47bf9cc85b66ff03b3a56c516abe27a543e8245e1bc060faed
Instruction ID: 7d174fa6472aae32a71de5337ac7231603ba96a5cf44a89ab447c11397bfba42
Opcode Fuzzy Hash: 2845e875b7348c47bf9cc85b66ff03b3a56c516abe27a543e8245e1bc060faed
Instruction Fuzzy Hash: 51C16EB19117468BE732EF24E88A1D97B79FB86328F50830CD1616F6D8D7B4124ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 015518F0 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f945356fa1363581bf33a90691ac6fc822fd96f42a25a1f5a2e9784eee28d9db
Instruction ID: 3f05a9adfb028f08e3c239af0ef40fff72060ca99ef49c81499cc887c61dd555
Opcode Fuzzy Hash: f945356fa1363581bf33a90691ac6fc822fd96f42a25a1f5a2e9784eee28d9db
Instruction Fuzzy Hash: 1371F8B4E0560ACFCB44CFA5D5915AEFFF2FB89210F10982AD815BB244D7745942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 015518E0 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49659234ef27caba8f1010a789792a69ea4c4900cc5fd29d1b5ebe85a690c05e
Instruction ID: b629ee35a0ddf247b083906b49978a1ae6c023526c43288628b64d7e3cb5a7d7
Opcode Fuzzy Hash: 49659234ef27caba8f1010a789792a69ea4c4900cc5fd29d1b5ebe85a690c05e
Instruction Fuzzy Hash: 4D61F4B4E0560ACFCB44CFA6D4915AEBFF2FB89310F10982AD815BB254E7745A42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01551ED8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d47ecbbe9c6e09661e0f14b70834b03d21e5327975e857de32632100610a437
Instruction ID: 9e0e723518773dd79061bd0319a07f9855fe32487fada2b964eaa1b35e558926
Opcode Fuzzy Hash: 0d47ecbbe9c6e09661e0f14b70834b03d21e5327975e857de32632100610a437
Instruction Fuzzy Hash: 20410871D1062ACBDB64CF66C8447E9BBB2FF99300F1486AAD50DA6210EB705A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01551EC9 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.339905773.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1550000_PURCHASE ORDER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4c070fb1008ab4bdaccbcf0905dabcaa996a0ea44c0229c990442a4f08ac84
Instruction ID: 359b67c5a9593ab2f44dd4a02bf6ed452311ad957b751848339ec1c1c069fe42
Opcode Fuzzy Hash: cc4c070fb1008ab4bdaccbcf0905dabcaa996a0ea44c0229c990442a4f08ac84
Instruction Fuzzy Hash: 7C411B71D1062ACBDB68CF66C984799BBB2FFD9300F1582EAD508A7214EB705AC5CF40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 4212, Parent PID: 5196COMMON

Execution Graph

Execution Coverage:	19.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.8%
Total number of Nodes:	947
Total number of Limit Nodes:	22

Executed Functions

Function 05E86BF8 Relevance: 2.1, APIs: 1, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423690749.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ef3f62579309857d46adf994bff312a4e971cd9b0b5e308e487f61acaf7551
Instruction ID: 850d8d6eaf9e761f0a57da86eb5b790f894259dbc2249a8a5d33318298f7a394
Opcode Fuzzy Hash: e8ef3f62579309857d46adf994bff312a4e971cd9b0b5e308e487f61acaf7551
Instruction Fuzzy Hash: 9F129E70B052049FDB14EBB8C858BAEBBB2EF89308F158069D449EB395DB35DC45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05E6A5A4 Relevance: 1.9, Strings: 1, Instructions: 664COMMON

Download Yara Rule

Strings

8^tl, xrefs: 05E6A804

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8^tl
API String ID: 0-2108595561
Opcode ID: 6b5c4edd3a29271622e34464edab11042db3e0dfb394676cdbf551fd5991199f
Instruction ID: 126cf440965a8acd26b4b02d4dd97123396256150bf0367e863e1806b332b00e
Opcode Fuzzy Hash: 6b5c4edd3a29271622e34464edab11042db3e0dfb394676cdbf551fd5991199f
Instruction Fuzzy Hash: 9E429130E44248CFEB24DBA8C5547ADB7A2EF85384F15C06AD449AF386DB74D885CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05E6F910 Relevance: 1.8, Strings: 1, Instructions: 563COMMON

Download Yara Rule

Strings

\ol, xrefs: 05E6FE73

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: \ol
API String ID: 0-1325158581
Opcode ID: 9e4120ad185f0e13eda026ca3e3fa342434ac6e0e2a0176f933ea7058b5ff447
Instruction ID: a0778db4953ed6d5a376623cf47eea6d2aad4c9256c8d522a12a6655c5169551
Opcode Fuzzy Hash: 9e4120ad185f0e13eda026ca3e3fa342434ac6e0e2a0176f933ea7058b5ff447
Instruction Fuzzy Hash: 7B020530B442488FEB14DB68D894BAEB7E3FB85394F159029E0A9EB385CB34DC41C761

Uniqueness

Uniqueness Score: -1.00%

Function 05D354C0 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05D35B5B

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 7eac715c2048c392817f580a92d6037e4365bb6ec3cab8d43b4eb70495a58f7f
Instruction ID: b480243dffc5f4a8084f39f471181079f5915c2e3763c3757a5d1fd19270e5ec
Opcode Fuzzy Hash: 7eac715c2048c392817f580a92d6037e4365bb6ec3cab8d43b4eb70495a58f7f
Instruction Fuzzy Hash: 6D5102B0D002188FDB14CFA9D899BDEBBF1BF49314F55812AE816AB350D774A844CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05E60040 Relevance: 1.4, Instructions: 1377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5393ff1fc47e1f79e92721d78826eb479377942c5e68d97bfe30db982a03cbc
Instruction ID: 649771ef9c20b5c79f022e9f7deaad16e2eb4eeeaf60198fdebaaca9b7da7d53
Opcode Fuzzy Hash: e5393ff1fc47e1f79e92721d78826eb479377942c5e68d97bfe30db982a03cbc
Instruction Fuzzy Hash: 3D8284277C55F88FF2314968CC9E6BD2B73F7901D874A6001A4DBE2B16D72896088FA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E65428 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7b30f3a1127f11121e78e637b41c1f20e26ceba908dc91d624c5b2fb65b029
Instruction ID: 509414eb65f5da49cf816b1a391047ded472cd97927c58979ec57ba28da2b453
Opcode Fuzzy Hash: 2a7b30f3a1127f11121e78e637b41c1f20e26ceba908dc91d624c5b2fb65b029
Instruction Fuzzy Hash: D6327030B042188FDB24DBB8C8547AEB7B2FF85288F5184AAD549DB395DB34DC85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05E6F4CF Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6fd1fe7b9d2b5fdd12feacaa52a999457051965b83c93d634a5a104562fd7e
Instruction ID: 023493a2778461349c2f12b7a9eb609b937a3b1cf8fa450b8043ba59da70a4b4
Opcode Fuzzy Hash: 4d6fd1fe7b9d2b5fdd12feacaa52a999457051965b83c93d634a5a104562fd7e
Instruction Fuzzy Hash: 79D1D431B442058FEB20CF69D880A6FBBB2FF85394F1185AAD1A9DB259D730EC45C791

Uniqueness

Uniqueness Score: -1.00%

Function 05E67E40 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f719694797b11598b76d15cad7640676b0bc793eb8d329393de810db9ce42a24
Instruction ID: 1e6caf06ceb2bb039b451d3097f255363325bface2154fc83406d2dc4599a259
Opcode Fuzzy Hash: f719694797b11598b76d15cad7640676b0bc793eb8d329393de810db9ce42a24
Instruction Fuzzy Hash: 20D1B230B442145FEB18EB78C85576E76E3EFC9748F158429E50AAB384EF34EC4287A5

Uniqueness

Uniqueness Score: -1.00%

Function 00DEE16B Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.412065580.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ded000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab7c42da2d4e9c7406113c042ee38dfb88fbd0b617c5c326dcb98e815b53027
Instruction ID: 46a39df806747b7ef21b1d96403a21515db3247b8233f2aefb3c184e4a15df39
Opcode Fuzzy Hash: 3ab7c42da2d4e9c7406113c042ee38dfb88fbd0b617c5c326dcb98e815b53027
Instruction Fuzzy Hash: BF91B27684E7C09FD3138B3498A46517FB0AF53219F1E45DBC8C2CA1A3E2699D0AC762

Uniqueness

Uniqueness Score: -1.00%

Function 05E6CD19 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7079edc8b876d90d767b2284bb02a9d4e36ac220c614073a63406a093f29a7
Instruction ID: 26f1c20ae873462c36aaf76f336d58465837038b7346c9c08df227dc920d9db9
Opcode Fuzzy Hash: cd7079edc8b876d90d767b2284bb02a9d4e36ac220c614073a63406a093f29a7
Instruction Fuzzy Hash: 6BB1F130F442188BDB24DB74C95976EB6E3AFC5384FA58069D44AAB391DF70DC82C792

Uniqueness

Uniqueness Score: -1.00%

Function 05D37E50 Relevance: 3.4, APIs: 2, Instructions: 361COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 05e8cef35d1f78dd6e2c6be5e751689d630e6c36bb302035655ab4d86998437b
Instruction ID: 4e617dbdeca662dd62bc04217a318e482a6279beb632d85f9ba51b2a93567e17
Opcode Fuzzy Hash: 05e8cef35d1f78dd6e2c6be5e751689d630e6c36bb302035655ab4d86998437b
Instruction Fuzzy Hash: F912BC79902218CFCB64DF74D98969CB7B2BF89346F1041EAE45A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D37E71 Relevance: 3.4, APIs: 2, Instructions: 361COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2029e67935e3dc8cccb0341e8778a7b4fea42f3feb65e914fb6700ac07890f4e
Instruction ID: 32732c9b889e26f38725a3810df099134f49b4146e837c474cee0a68558622e5
Opcode Fuzzy Hash: 2029e67935e3dc8cccb0341e8778a7b4fea42f3feb65e914fb6700ac07890f4e
Instruction Fuzzy Hash: 1912BB79906218CFCB64DF74D98969CB7B2BF89346F1041EAE41A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D37EB6 Relevance: 3.4, APIs: 2, Instructions: 354COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a740533a6bbecb0cec3977de1ceceb21f58988f529e22fe65e7d13d63e7d88ec
Instruction ID: 25485f9eb81b2c9bbc732eb7d2625b81a1f1a52b779e777fee99bac219113fdd
Opcode Fuzzy Hash: a740533a6bbecb0cec3977de1ceceb21f58988f529e22fe65e7d13d63e7d88ec
Instruction Fuzzy Hash: 6E02BB79906218CFCB64DF74D98969CB7B2BF89346F1041EAE41A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D37EFB Relevance: 3.3, APIs: 2, Instructions: 347COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 533b1bc0cc0fe20567564fd1fe5a7ba52ce9b403164ff04be1ce5ea1b50279d4
Instruction ID: af679c78ac006da72335c68678b1f6cab1dea7e1f6aec73068f5f67351fd2222
Opcode Fuzzy Hash: 533b1bc0cc0fe20567564fd1fe5a7ba52ce9b403164ff04be1ce5ea1b50279d4
Instruction Fuzzy Hash: 4202BC79906218CFCB64DF74D98969CB7B2BF89346F1041EAE44A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D37F40 Relevance: 3.3, APIs: 2, Instructions: 340COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9ea81f86025f13f8a1e50a23ad3744abfd758d8548dec06857797b3dc0732d52
Instruction ID: df1f7510aa4a9d29a99a4dcbe32e80652e86fcbfc3d7e496379e89ac0b76b4a3
Opcode Fuzzy Hash: 9ea81f86025f13f8a1e50a23ad3744abfd758d8548dec06857797b3dc0732d52
Instruction Fuzzy Hash: 8F02AB79906218CFCB64DF74D98969CB7B2BF89346F1041EAE44A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D37F85 Relevance: 3.3, APIs: 2, Instructions: 333COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4582c54d2cefaf488324e6005ccc506054f84bd770f22f342b4901d979a719df
Instruction ID: 452fd84e96881b8706267d9b88e5cff916354cba9c2e277fd018d046184bd42f
Opcode Fuzzy Hash: 4582c54d2cefaf488324e6005ccc506054f84bd770f22f342b4901d979a719df
Instruction Fuzzy Hash: 7502AC79906218CFCB64DF74D98969CB7B2BF89346F1041EAE44A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D37FCA Relevance: 3.3, APIs: 2, Instructions: 326COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 45afad000494c450806ff9f60700cfb0cd0c2871cfd29436dce022e2768f6a17
Instruction ID: 5b8bc8eeea88e609ca5fe1c97c8f7750853a4b1df1768e2a05f391d2d1d8b03f
Opcode Fuzzy Hash: 45afad000494c450806ff9f60700cfb0cd0c2871cfd29436dce022e2768f6a17
Instruction Fuzzy Hash: 4B02AB79906218CFCB64DF74D98969CB7B2BF89346F1041EAE44A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D3800F Relevance: 3.3, APIs: 2, Instructions: 319COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 65535cf2fa8fd197ddbbfd4cac5c01ad05b07709f0e0aff309648cb8201fd1ce
Instruction ID: 63f4d921b68508dbb7bc4d5cb4d0577e3e9ff7822ba98e81df1582ed91b842c6
Opcode Fuzzy Hash: 65535cf2fa8fd197ddbbfd4cac5c01ad05b07709f0e0aff309648cb8201fd1ce
Instruction Fuzzy Hash: 70F1AB79906218CFCB64DF74D98969CB7B2BF89346F1041EAE40A62350CB359EC6CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05D38054 Relevance: 3.3, APIs: 2, Instructions: 312COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 671f953ab8ace9c15fe271f096aa086747514de82f22bc60d90d9387b194016b
Instruction ID: e6aeab7ed53156ed2934f1114c17a637bb450e58160756ebd8f2e6b8278f0c1b
Opcode Fuzzy Hash: 671f953ab8ace9c15fe271f096aa086747514de82f22bc60d90d9387b194016b
Instruction Fuzzy Hash: 76F1AB79906218CFCB64DF74D98969CB7B2BF89346F1041EAE40A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D38099 Relevance: 3.3, APIs: 2, Instructions: 303COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 11d9ce5560aab528ab0cd55e249455a9e8e3b0f8da2de6b24eae4504becda9e7
Instruction ID: 3d644658f411eb765b2fd20ba92b289f84fc9b54c0a4e7fbaed5cf8db6e17b29
Opcode Fuzzy Hash: 11d9ce5560aab528ab0cd55e249455a9e8e3b0f8da2de6b24eae4504becda9e7
Instruction Fuzzy Hash: B2F1AA79906218CFCB64DF74D98969CB7B2BF89346F1041EAE40A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D380D5 Relevance: 3.3, APIs: 2, Instructions: 298COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 154fdee07ea602c98e950362d1dddb42845c0d7954d4d1b15c003909bf75d691
Instruction ID: f83dffdef2e4b9e2d0fdd4af0369efa7fecc55e403752e093010a0b8f067f3b9
Opcode Fuzzy Hash: 154fdee07ea602c98e950362d1dddb42845c0d7954d4d1b15c003909bf75d691
Instruction Fuzzy Hash: E0F1AB79906258CFCB64DF74D98969CB7B2BF89346F1041EAE40A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D3811A Relevance: 3.3, APIs: 2, Instructions: 291COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ad66586e1bd2dcaa4edcafbc329e384b93fbfd6370f049620cea32499d48da40
Instruction ID: 9bb39f0ec2792d90f37c602d4e5f2e2504394cca4de05490a93cee455fbfc568
Opcode Fuzzy Hash: ad66586e1bd2dcaa4edcafbc329e384b93fbfd6370f049620cea32499d48da40
Instruction Fuzzy Hash: 53E1AB79906218CFCB64DF74D98969CB7B2BF89346F1041EAE44A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D3815F Relevance: 3.3, APIs: 2, Instructions: 284COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c9efd2bc29aba45e864309418d6480afc8a05cbacd58ec7fa042dfea6cacfb5a
Instruction ID: f26f16ddd379ccbc5b36d807547e555c2f752605e5a09396b2c65ebfd5a8d44b
Opcode Fuzzy Hash: c9efd2bc29aba45e864309418d6480afc8a05cbacd58ec7fa042dfea6cacfb5a
Instruction Fuzzy Hash: 8FE1AB79906218CFCB64DF74D98969CB7B2BF89346F1041EAE44A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D381A4 Relevance: 3.3, APIs: 2, Instructions: 277COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c44b01a5c36e9cacfcfb44d1110a88c48a39a5f3f373d807eee55c0ccaa445db
Instruction ID: cf5affefa29e7297566d52a96a1843a153a5e33c8efb54f19548e123f84cf9e4
Opcode Fuzzy Hash: c44b01a5c36e9cacfcfb44d1110a88c48a39a5f3f373d807eee55c0ccaa445db
Instruction Fuzzy Hash: 7DE1AB79906218CFCB64DF74D98969CB7B2BF89346F1041EAE44A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D381E9 Relevance: 3.3, APIs: 2, Instructions: 270COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a62c406856cddb0d447c76f6b2750a5517a39bdcf12b10ee092052f93fabd37f
Instruction ID: 5c55005a0bcb5129e47650821257d2ad9c77719b6c0ee9ae8a85310da7036e43
Opcode Fuzzy Hash: a62c406856cddb0d447c76f6b2750a5517a39bdcf12b10ee092052f93fabd37f
Instruction Fuzzy Hash: 9BE1AB79906218CFCB64DF74D98969CB7B2BF89346F1041EAE44A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D3822E Relevance: 3.3, APIs: 2, Instructions: 263COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 673846e4b7fad3dc5edc7c133a6017a75fc5a81fb20aed33cdc35fc0c6ab2d1b
Instruction ID: 157068c472742256c30a3b7025f40fca95afaf8525a5426e282c834bf91335ac
Opcode Fuzzy Hash: 673846e4b7fad3dc5edc7c133a6017a75fc5a81fb20aed33cdc35fc0c6ab2d1b
Instruction Fuzzy Hash: 35D1BB79906218CFCB64DF74D98969CB7B2BF85346F1041EAE50AA2350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D38273 Relevance: 3.3, APIs: 2, Instructions: 256COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: aee8445f918b8c53d8491acb523614de819c405a355d416f32747bbab66abdef
Instruction ID: ab2e9468c9ff03b7820169cccaa7de3ef6bd39c1f765be82ccfa1d8491f376be
Opcode Fuzzy Hash: aee8445f918b8c53d8491acb523614de819c405a355d416f32747bbab66abdef
Instruction Fuzzy Hash: 80D1AB79906218CFCB64DF74D98969CB7B2BF85346F1041EAE50AA2350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D382B8 Relevance: 3.2, APIs: 2, Instructions: 249COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0d017d5ebc16590877c0eed5d63f868307ad8ef9d9f6b5beb37944c690e28b28
Instruction ID: 5cc7be9ef669cac6d9981c25ffa3d1c09df616c2fe5f74fb3f07a46371c644e8
Opcode Fuzzy Hash: 0d017d5ebc16590877c0eed5d63f868307ad8ef9d9f6b5beb37944c690e28b28
Instruction Fuzzy Hash: 1DD1AB79906218CFCB64DF74D98969CB7B2BF85346F1041EAE50A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D382FD Relevance: 3.2, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 68c33b7b383a4acd72166f779cf10566c80bdf509b83f4933e7b90a228657a7f
Instruction ID: 40cdca43ef787782839a2bb1aa632d5fc415110f03f71c971d379f81f7454e82
Opcode Fuzzy Hash: 68c33b7b383a4acd72166f779cf10566c80bdf509b83f4933e7b90a228657a7f
Instruction Fuzzy Hash: C0C1AA79906218CFCB64DF74D98969CB7B2BF89346F1041EAE50A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D38342 Relevance: 3.2, APIs: 2, Instructions: 235COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0e3267b0c8c34419529759febe78ee8c3085d1b184e9a0099f6d8c8f3076dbdc
Instruction ID: a2bbd842204752fc7ffeb967de0a2b3d4baf186b0e64e376ecbc544a413c2222
Opcode Fuzzy Hash: 0e3267b0c8c34419529759febe78ee8c3085d1b184e9a0099f6d8c8f3076dbdc
Instruction Fuzzy Hash: CDC1A979906228CFCB64DF74D98969CB7B2BF85346F1041EAE40A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D38387 Relevance: 3.2, APIs: 2, Instructions: 228COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 13b63bca4308a49d5fc84798b22ce28ddfe771fe9d59d85baa4e78ca3625d3fd
Instruction ID: 86909f09735a7b0e96c865cba2af96b09ec45114eb54ee44c5a7cc5d961b9862
Opcode Fuzzy Hash: 13b63bca4308a49d5fc84798b22ce28ddfe771fe9d59d85baa4e78ca3625d3fd
Instruction Fuzzy Hash: B9C1BA79906228CFCB64DF74D98969CB7B2BF85346F1041EAE40A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D383CC Relevance: 3.2, APIs: 2, Instructions: 219COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D383E7
KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c8f5219c6672129319f7c45b315eb220b9f24a04fedd1568a73dcc18f2f33c19
Instruction ID: a11bea378ecef6b1aa08e4f43d261b145dc4b22a4707abf8497f7384ba1adb8c
Opcode Fuzzy Hash: c8f5219c6672129319f7c45b315eb220b9f24a04fedd1568a73dcc18f2f33c19
Instruction Fuzzy Hash: EBB1A979906228CFCB64DF74D98969CB7B2BF85346F1041EAE44A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05E6C260 Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

Xctl, xrefs: 05E6C335
Xctl, xrefs: 05E6C32B

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: Xctl$Xctl
API String ID: 0-1774723568
Opcode ID: 5c0f72602f750d732311f1d0b0b981b59aae721b6a5ec5474635276a01432e14
Instruction ID: 808819bf7504857b55c5a69e12e049875150e4ff9c0ba6f5bcfca578aff01732
Opcode Fuzzy Hash: 5c0f72602f750d732311f1d0b0b981b59aae721b6a5ec5474635276a01432e14
Instruction Fuzzy Hash: E4A1C0307442159FEB05EF68C859ABE3BA3EF89384F158469E58ADB391DF30DC0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 04D7086B Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.420414324.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0715874a8cf58d9b2a3ceb1c32266f43cbf21b453a01a09f0886987dee6451
Instruction ID: 9b79fd7280be4bfe29bba50c53aeb24fd57dc8f0338b0105bb83da22546afcbf
Opcode Fuzzy Hash: 6b0715874a8cf58d9b2a3ceb1c32266f43cbf21b453a01a09f0886987dee6451
Instruction Fuzzy Hash: 1E81A171E042089FDF11DFA9D8807EDBBB1FB8A324F24446AE509E7391E734A845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05D38408 Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f90be6587e2ae33abc8abff5a5a19805e7a670601d7cf92dced06da1c810b95d
Instruction ID: b53c00993f94c7a68978859a0d6168fe80b96453f2f8c1e8168a03a7c20bb9a4
Opcode Fuzzy Hash: f90be6587e2ae33abc8abff5a5a19805e7a670601d7cf92dced06da1c810b95d
Instruction Fuzzy Hash: 5BB1BA79906218CFCB64DF74D98969CB7B2BF89346F1041EAE40A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D3844D Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6eedccfcd8f6ae4233ed3201d299b541b03dce6c557aec922c3f30606d879830
Instruction ID: 449cd9a4b50c522eb621cdb9469be64dea7c2c4c87235b1900747682d4c80237
Opcode Fuzzy Hash: 6eedccfcd8f6ae4233ed3201d299b541b03dce6c557aec922c3f30606d879830
Instruction Fuzzy Hash: 6CB1BA79906218CFCB64DF74D98969CB7B2BF85346F1041EAE44A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D38489 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fe66f33f65c7f88730ac562ee3ccd9a9862a02c5f0fc80f2c8fa0a1e74f95ffa
Instruction ID: 04389ed6c821c7b97dd5e6b98ba3d2aa2720e495e0a3d1b3bb7e86e8be426630
Opcode Fuzzy Hash: fe66f33f65c7f88730ac562ee3ccd9a9862a02c5f0fc80f2c8fa0a1e74f95ffa
Instruction Fuzzy Hash: F5A1CB79906228CFCB64DF74D98969CB7B2BF85346F1041EAE44A62350CB359EC6CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D384C5 Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 191c0d5d3c9e2d0b5e5f00a710e185f6940482b13c5e1678f9f1352f7ce7614a
Instruction ID: 48d0d2385b373547b946b593d740937c3ce11dbf5124e45deae53b9baed60c82
Opcode Fuzzy Hash: 191c0d5d3c9e2d0b5e5f00a710e185f6940482b13c5e1678f9f1352f7ce7614a
Instruction Fuzzy Hash: 6CA1BB79906228CFCB64DF74D98969CB7B2BF85346F5041EAE44A62350CB359EC2CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D38501 Relevance: 1.7, APIs: 1, Instructions: 186COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3e0dc30ba13adeb239a4c82f6bc0f7e2f2527305d8998feaeb61e46956d5023d
Instruction ID: 5fe10d0b9ed472ca1498d7d0fcbb14b6262e4363a265dbf2bd16534d7bb1c7a6
Opcode Fuzzy Hash: 3e0dc30ba13adeb239a4c82f6bc0f7e2f2527305d8998feaeb61e46956d5023d
Instruction Fuzzy Hash: CDA1A979906228CFCB64DF74D98969CB7B2BF89305F5041EAE44A62350DB359EC2CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D38546 Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2ca87be94d17f4375004b02d9295e06b9d5d0ebbbef4743d24add30c5dc0107a
Instruction ID: 38fcf973b79c09411c70c49e1f4afe8e4247e7f2c79373690fa372742353c1a3
Opcode Fuzzy Hash: 2ca87be94d17f4375004b02d9295e06b9d5d0ebbbef4743d24add30c5dc0107a
Instruction Fuzzy Hash: 5091BA79906228CFCB64DF74D98969DB7B2BF45305F1041EAE44A62350CB359EC2CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05D3858B Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 557fc55a93664a3af48ec8f5009b0000208c9a8de8786eb5b27fdd47fb1d3699
Instruction ID: b5ffe45d4b255a9b4f8a39d974786778532ffb31ad88abd1710465611405e0e4
Opcode Fuzzy Hash: 557fc55a93664a3af48ec8f5009b0000208c9a8de8786eb5b27fdd47fb1d3699
Instruction Fuzzy Hash: 8F91AA79906228CFCB64DF74D98969CB7B2BF89305F1041EAE44A62350DB359EC2CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05E65ED8 Relevance: 1.7, Strings: 1, Instructions: 421COMMON

Download Yara Rule

Strings

8, xrefs: 05E66408

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: fbf88e9535bddfa1a1d2e43c6d528b179533d6bc22825c51e76c1160c870173c
Instruction ID: 386098a4c2ab6286ec9734acf9c8d94169a7df2591026b33f3c7041394ff59e5
Opcode Fuzzy Hash: fbf88e9535bddfa1a1d2e43c6d528b179533d6bc22825c51e76c1160c870173c
Instruction Fuzzy Hash: 13E17B34B443049FEB049BB8D4546ADB7E2EF85388F14856AD44ADB395EF38EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05D385D3 Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d5cf1708dadd226e4f2a5e849394db784e505a88ae4a03f29a6813c48207b7a5
Instruction ID: c4278b816355c17c6ad149a6bf24bd1a7af35b374f400d7a8a39ea6cabe2e31d
Opcode Fuzzy Hash: d5cf1708dadd226e4f2a5e849394db784e505a88ae4a03f29a6813c48207b7a5
Instruction Fuzzy Hash: 0C81BA79906228CFCB64DF74D98969CB7B2BF89305F5041EAE44A62350DB359EC2CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D3861B Relevance: 1.7, APIs: 1, Instructions: 158COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b987b89368e70cbf7d014c55fee4dbd9c34c349e502c2f5e7c308de05bccdea8
Instruction ID: 36c9ebe987340a4116ee4b404d8bc135ec7c8cfba2d733a795f95a8e0794844c
Opcode Fuzzy Hash: b987b89368e70cbf7d014c55fee4dbd9c34c349e502c2f5e7c308de05bccdea8
Instruction Fuzzy Hash: C581AA79906228CFCB64DF74D98969DB7B2BF89305F1041EAE44A62350DB359EC2CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D38663 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 490ee8b06acaf00c8e51111310944ea704818f89b74099ec12c487981ed5882c
Instruction ID: 2d3f425b1530e8b637831ac2ac247b12b54d495c0f27f9f4dd56bfa5b61a0495
Opcode Fuzzy Hash: 490ee8b06acaf00c8e51111310944ea704818f89b74099ec12c487981ed5882c
Instruction Fuzzy Hash: 7171CA79906228CFCB64DF74D98969CB7B2BF89305F1041EAE44A62350DB359EC2CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05D386AB Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3de2d15866cadd83bd71ed0a52ec5541953be89cce70f3a94ed8c1cee952eac7
Instruction ID: 2bb7601203ed08420b3730c7ad5a273c5e80d43131704090b9de4686750f766b
Opcode Fuzzy Hash: 3de2d15866cadd83bd71ed0a52ec5541953be89cce70f3a94ed8c1cee952eac7
Instruction Fuzzy Hash: A571CC79906228CFCB64DF74D98969CB7B2BF89305F1041EAE44A62340DB359EC2CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D386E7 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d5a5380a8cbba8f87ac5b368175ddd36c1e61e682b818e112f3541e364e03ce8
Instruction ID: d0ca5a87c56802ec876c4b8fab5e4411e517028810ad7e73f3c033b0381a4ba1
Opcode Fuzzy Hash: d5a5380a8cbba8f87ac5b368175ddd36c1e61e682b818e112f3541e364e03ce8
Instruction Fuzzy Hash: B761CA79906228CFCB64DF74D98969CB7B2BF85305F1041EAE44A62340DB359EC6CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05D357B4 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05D35B5B

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 693194eaf1dec253dffb4db7d98aa5d0a72b0513e20786fa30a2c0a3f7639b94
Instruction ID: c862aff9802aace520f16511b2514e2e8fb6af102a50d6e4729dcd7f5cb12936
Opcode Fuzzy Hash: 693194eaf1dec253dffb4db7d98aa5d0a72b0513e20786fa30a2c0a3f7639b94
Instruction Fuzzy Hash: 515102B0D002188FDB14CFA9D899BDDBBF1BF49314F15812AE816AB350D774A844CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05D35A14 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05D35B5B

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a8c726b255c44ea2a768c898686a757ec9a9bb9a5abc7cce8c3660bcf76af823
Instruction ID: 9f5170370a1f3f62cac31a2b8d271c2f2dd223c03c3734cf1113dbfcf0867e20
Opcode Fuzzy Hash: a8c726b255c44ea2a768c898686a757ec9a9bb9a5abc7cce8c3660bcf76af823
Instruction Fuzzy Hash: AE5110B0D002588FDB18CFA9D899BDDBBF1BF49314F14812AE816AB390D774A844CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05D3872F Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0476aca559b657af33ac823f4ae41dea79abeec29c2734a0461ee45e5f01ca6a
Instruction ID: 8846552d3157f3b68e7f1e85cb72603936a1dcbc45f9a6a55a05b113dd728132
Opcode Fuzzy Hash: 0476aca559b657af33ac823f4ae41dea79abeec29c2734a0461ee45e5f01ca6a
Instruction Fuzzy Hash: 1161BB79902228CFCB64DF64D98969CB7B2BF89305F5041EAE44A63340DB359EC6CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05D38777 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f602beaab72be335a9ff4a39740eb441b1fe26a77a7ce4e6ad345d80889a9d9c
Instruction ID: c6aacd610bd18a767617bed332f17e2d0cdfcc52eba464b67c9221a08af4de50
Opcode Fuzzy Hash: f602beaab72be335a9ff4a39740eb441b1fe26a77a7ce4e6ad345d80889a9d9c
Instruction Fuzzy Hash: E751BA79902228CFCB64DF64D98969CB7B2BF85305F5041EAE44AA3350DB359EC2CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05D387BF Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8b31107453eb673b77cab5be6a7c38da24c6cef28f6d31b4347cfaae982743ba
Instruction ID: baf175ae9028fa5bceed9ba87991ad3b3b4ae8b0b925f5592a69b878711b5458
Opcode Fuzzy Hash: 8b31107453eb673b77cab5be6a7c38da24c6cef28f6d31b4347cfaae982743ba
Instruction Fuzzy Hash: 4151D979902228CFCB64DF64D98969CB7B2BF85305F5041EAE44AA3350DB359EC2CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05E8F108 Relevance: 1.6, APIs: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 05E8F211

Memory Dump Source

Source File: 00000003.00000002.423690749.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e80000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 27efa5269d34bb08caf7d9e52a382bfc1f8d257e590b0a2c7a35c885ef02f808
Instruction ID: 5488fb05d0a73416a645c35559dc51b1673108786ba0830e24948b68fa6818ef
Opcode Fuzzy Hash: 27efa5269d34bb08caf7d9e52a382bfc1f8d257e590b0a2c7a35c885ef02f808
Instruction Fuzzy Hash: 6A4125B0E04318DFDB10DF99C884A9EBBF5BF48304F15816AE869AB354D774A805CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05E8EE40 Relevance: 1.6, APIs: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 05E8EF54

Memory Dump Source

Source File: 00000003.00000002.423690749.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e80000_RegSvcs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4480ebd539694ac1bd33734ab1ca2da1eb66901ab20d87d03872f4b12456cd19
Instruction ID: 3de9d0d0c205f11191a48b194285fd91f4b2ac0ceb1b212121c54432a0e21b1b
Opcode Fuzzy Hash: 4480ebd539694ac1bd33734ab1ca2da1eb66901ab20d87d03872f4b12456cd19
Instruction Fuzzy Hash: 324169B0E05249CFEB00DFA8C548A9EFFF5BF48314F19816AD408AB381D7759845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05D38807 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bf4409d2d27c6eba59242284b246a96be89a4c727b08f3a84bfc2ac70ebd33fb
Instruction ID: 6898a62c9037619b6b1771e845625e6306687906ea9c33a2abf38940d25b6231
Opcode Fuzzy Hash: bf4409d2d27c6eba59242284b246a96be89a4c727b08f3a84bfc2ac70ebd33fb
Instruction Fuzzy Hash: CE51D979902228CFCB64DF64D98969CB7B2BF85305F5041EAE44AA3350DB359EC2CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D3884F Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 337b784b21ec4487aaf68f0961cf94140967becc25e889be4b736072f33e38aa
Instruction ID: 4bfe80b8d11f3bc379b628f1880393d5fd7179330e8ea98de49a36fac5335fd8
Opcode Fuzzy Hash: 337b784b21ec4487aaf68f0961cf94140967becc25e889be4b736072f33e38aa
Instruction Fuzzy Hash: 3251CB79902228CFCB64DF64D98969CB7B2BF85305F1041EAE54A63350DB359EC2CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D3888B Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: baeb8cdd218c936100b828617dd61375dfb9a300b42b5ca6b92b9e5f4b21199b
Instruction ID: dc6589d343f9fdaa23a35b7bbab66f2daed2ee06a0533b6732549cf036ddcdf0
Opcode Fuzzy Hash: baeb8cdd218c936100b828617dd61375dfb9a300b42b5ca6b92b9e5f4b21199b
Instruction Fuzzy Hash: 9B41B879902228CFCB64DF64D98969DB7B2BF85305F1041EAE54AA2340DB359EC2CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04D7A240 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 04D7D4C2

Memory Dump Source

Source File: 00000003.00000002.420414324.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d70000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 718a9eec8ba0a3c9cc232068a752be92025e787c3faf8c16a6e8d7387895d65c
Instruction ID: a3715145967f3ed5d7f0508f02a1fd24f81febc659bb608d0eafcc62e4b71c29
Opcode Fuzzy Hash: 718a9eec8ba0a3c9cc232068a752be92025e787c3faf8c16a6e8d7387895d65c
Instruction Fuzzy Hash: CC3123B0D002599FDB24CFA9C8847AEBBF2FF08318F148529E815A7380E774A845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04D7D3ED Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 04D7D4C2

Memory Dump Source

Source File: 00000003.00000002.420414324.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d70000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 035afa5159799291140c07f76410b977770905cf530cc02f5dddf7e832ec0045
Instruction ID: 9d9ceeb70d9d0742833e9287bc0881ed0f5d2dd7a0b0c6c1bd44cdcd8e5a4068
Opcode Fuzzy Hash: 035afa5159799291140c07f76410b977770905cf530cc02f5dddf7e832ec0045
Instruction Fuzzy Hash: 3C3132B0D402599FDB14CFA8D8847EEBBF2BF08318F14852AE815A7380E774A445CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05E8BA80 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 05E8F211

Memory Dump Source

Source File: 00000003.00000002.423690749.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e80000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 690d48f21ce2a05bb42494facd553af6f7e36330b2fba3eefd9db03618d67546
Instruction ID: 1f537c45482cda46c1bd44b61bd40cace83af24713136bf0647031845dcc2472
Opcode Fuzzy Hash: 690d48f21ce2a05bb42494facd553af6f7e36330b2fba3eefd9db03618d67546
Instruction Fuzzy Hash: 8531F2B1D04258DFCB20DF9AD884ADEBBF5BF48314F54802AE869AB314D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05D388D3 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 83765ff83d4064347a747ff4b30771b393171e56bc8354d4ff60efef142c22fd
Instruction ID: 5b1e0c0e3cad49dc29327e45dfb263d95aaa29fd2ec59f74d3ef6c8346b9c675
Opcode Fuzzy Hash: 83765ff83d4064347a747ff4b30771b393171e56bc8354d4ff60efef142c22fd
Instruction Fuzzy Hash: 8341B979902228CFCB64DF64D98969DB7B2BF85305F1041EAE54AA2340DB359EC2CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05D37237 Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,05D3721D), ref: 05D37300

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3e73093b6092de306d23a3766cfb960929c38a71de3e4616a470d59567bac5d7
Instruction ID: 9ae41a991df032d4a968491bcdc6147f0e135c23b1c09edd1cc40ab41f1d5e48
Opcode Fuzzy Hash: 3e73093b6092de306d23a3766cfb960929c38a71de3e4616a470d59567bac5d7
Instruction Fuzzy Hash: B131CFB0D086859FDB00CFAAD94479EBFF0FF49310F05816AD449A7351D738A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E8BA74 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 05E8EF54

Memory Dump Source

Source File: 00000003.00000002.423690749.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e80000_RegSvcs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c2d557c10af136a36021b42c5e85435ffd8c21463fbf94d8305e6008e44b8841
Instruction ID: 6e6e4df5d42fee39be776b28fe509cc61f6669418bd3118f727ab9d4bbaca9e4
Opcode Fuzzy Hash: c2d557c10af136a36021b42c5e85435ffd8c21463fbf94d8305e6008e44b8841
Instruction Fuzzy Hash: BB31F2B0D052599FDB10DF99C588A9EFBF9BF48304F29816AE409AB340C7759845CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05D3891B Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e7fb60e949a78ab89b0fcaa91cee83ba083e3500647969ceb222c33d77ed7f7d
Instruction ID: b2f5840f30fb6070e0977d17792045a39740b433bdb2d9e1402dff8967a2692e
Opcode Fuzzy Hash: e7fb60e949a78ab89b0fcaa91cee83ba083e3500647969ceb222c33d77ed7f7d
Instruction Fuzzy Hash: D641CA79906228CFCB64DF64D98969DB7B2FF85305F1041EAE44AA2340CB359EC2CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05D38963 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 003b1785503f81920be797fb536b2895f23cf533ceebbdfd61f38103192de6ea
Instruction ID: b7d50b10d1c004153ff2d5aeac1b2832a4e2e4011121f46700a5177d8b8842e4
Opcode Fuzzy Hash: 003b1785503f81920be797fb536b2895f23cf533ceebbdfd61f38103192de6ea
Instruction Fuzzy Hash: 0B31BA79A06228CFCB64DF64D98969DB7B2FF85305F1041EAE54AA2340CB359E82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05D389AB Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 855e6c8852daacee8f0571083e1634e7222c35f0aea7ed078cd712ecf406fe3e
Instruction ID: 3a7be7140e51d511c65a549df744942a10ee8ecbbb7db236981ece804d8219ba
Opcode Fuzzy Hash: 855e6c8852daacee8f0571083e1634e7222c35f0aea7ed078cd712ecf406fe3e
Instruction Fuzzy Hash: DF31CA79A06228CFCB64DF64D88969DB7B2FF85305F1041EAE54AA2340CB359EC2CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05D35E1C Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,05D3721D), ref: 05D37300

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 766ab9c7859d89335ad3d786440cb1c0395f01ea0cc9bf03351dd4bcd3455b34
Instruction ID: 383dbe1cb9108c3339f54eaeb89d3ecd45a01ea4e3f214ff200d8b5c78bec6a6
Opcode Fuzzy Hash: 766ab9c7859d89335ad3d786440cb1c0395f01ea0cc9bf03351dd4bcd3455b34
Instruction Fuzzy Hash: B82129B1C0461A9BCB10DF9AC44579EFBF4FB48324F15852AD819B7640D734A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 05D389F3 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a3568de9b1d88651fa7b9b200cbd2b43c86b36bf7d557192f33aa6018922112a
Instruction ID: fb700f291ebb9724855d85782afb79e88051ec4f5162a577e0ec5085a72d4d40
Opcode Fuzzy Hash: a3568de9b1d88651fa7b9b200cbd2b43c86b36bf7d557192f33aa6018922112a
Instruction Fuzzy Hash: A121DB79A06228CFCB64DF64D88969DB772FF85305F1041EAE54A92340CB319EC2CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04D7550F Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 04D7559A

Memory Dump Source

Source File: 00000003.00000002.420414324.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d70000_RegSvcs.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 4652270ba7cb6774288f1e64f94b4c4ca3aa17d9e2b1701b268735a3d7f4a038
Instruction ID: 4f1a06afef9d76f1d7ac5b7876c5ece4fe96d0e244d9e9435569205ad6e48e8c
Opcode Fuzzy Hash: 4652270ba7cb6774288f1e64f94b4c4ca3aa17d9e2b1701b268735a3d7f4a038
Instruction Fuzzy Hash: E32186B1C01344CFDB20DFA9E9497DABBF8FB08314F14842AD904A6640E738A544CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 04D75520 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 04D7559A

Memory Dump Source

Source File: 00000003.00000002.420414324.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d70000_RegSvcs.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: e1e2bd7774050fff07a0895616ea56fa7d5d3f559dd77261e06d503753687d53
Instruction ID: 4db7783cca970d2cd87540a360e3546afc8deb246ee1b0fb534d71adaa7e9180
Opcode Fuzzy Hash: e1e2bd7774050fff07a0895616ea56fa7d5d3f559dd77261e06d503753687d53
Instruction Fuzzy Hash: 1E1189B0901344CFDB20DFA9D8487DABBF8FB48314F148429D405A7641D739A944CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 05D38A2F Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 44272c3a3bfe7d97eae234cf9f5dd4033718b34f0e4afd634b6b7ad4e3048575
Instruction ID: 508acaa1b12c010bfb648db7d9e1098f7d70634fbe93bce950a1acb8eb703973
Opcode Fuzzy Hash: 44272c3a3bfe7d97eae234cf9f5dd4033718b34f0e4afd634b6b7ad4e3048575
Instruction Fuzzy Hash: 0021A979A06228CFCB64DF64D98969DB7B2FF49305F1041EAE54A93340CB319E82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04D70AB0 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 04D70B1E

Memory Dump Source

Source File: 00000003.00000002.420414324.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d70000_RegSvcs.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: f50ef48e60497e09dfe18f82a8121ac1a5a7c796bafb95a7bfaf12064fedca6b
Instruction ID: 84c80cd23d9d5acd5ef95566a90b897b16c9efea3eccc74ceb5e8198bc9b2435
Opcode Fuzzy Hash: f50ef48e60497e09dfe18f82a8121ac1a5a7c796bafb95a7bfaf12064fedca6b
Instruction Fuzzy Hash: 831104B19042499FCB10CF9AD888BDFBBF8FB88324F148419E519A7250D775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D38A77 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D38A92

Memory Dump Source

Source File: 00000003.00000002.422394621.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5d30000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 416c8a2f6b2e74ade340f8425cc76c7afef2af5ba7a1133d7ea5bafea686714c
Instruction ID: 787102b83f8e10697bce33817a918eb7ee554291f4c16e8be2fb081002f3fbc7
Opcode Fuzzy Hash: 416c8a2f6b2e74ade340f8425cc76c7afef2af5ba7a1133d7ea5bafea686714c
Instruction Fuzzy Hash: 0611B979A06229CFCB64DF68D88969DB772FF89345F1041EAD54A93340CB315E82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05E68C70 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

D0tl, xrefs: 05E68DF3

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: D0tl
API String ID: 0-504259687
Opcode ID: 39abed2145b0ff809f38ac076c15cb43cc1ed1e18aff22d4bd81d1f00ecaa148
Instruction ID: c8e76004c5e98a6295a631aa140f91307ff32c8a6930d82ceed602221f03ec01
Opcode Fuzzy Hash: 39abed2145b0ff809f38ac076c15cb43cc1ed1e18aff22d4bd81d1f00ecaa148
Instruction Fuzzy Hash: F141B275B086198FD714AF78C865A6E77A7EBC8380F154429D906DB388CF78DC0287E6

Uniqueness

Uniqueness Score: -1.00%

Function 04D70B63 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 04D70BC7

Memory Dump Source

Source File: 00000003.00000002.420414324.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d70000_RegSvcs.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: e853fd86b8bea59e7fcdda68205253a307ae2ca206c6c2284e85a67a93399090
Instruction ID: a9558b868024e2d66fb6480fc6e782eb080b3098795ea648b556d7fb05bf6b94
Opcode Fuzzy Hash: e853fd86b8bea59e7fcdda68205253a307ae2ca206c6c2284e85a67a93399090
Instruction Fuzzy Hash: 7F11D0B1804259CFDB20DF9AD488BDEBBF4EB48324F14841AD519A7240D774A945CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 04D70B68 Relevance: 1.3, APIs: 1, Instructions: 41sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 04D70BC7

Memory Dump Source

Source File: 00000003.00000002.420414324.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4d70000_RegSvcs.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a705ca7407b3de8eff09b874d3a551c092930d7fb95012566b2b621a9e685c4c
Instruction ID: aa9695c780165c9dfa8c59fdaca8b6d2a7453a68edcb20abb73a5952d4cf65d8
Opcode Fuzzy Hash: a705ca7407b3de8eff09b874d3a551c092930d7fb95012566b2b621a9e685c4c
Instruction Fuzzy Hash: 7111E2B1804259CFDB20DF9AD488BDEFBF4EB48324F14841AD519A7240D774A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 05E69EA8 Relevance: .5, Instructions: 516COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c34d42647dd20156157549c14d1864d8f6aa9cd5e9d1095c46461d6f802d795
Instruction ID: 9a76015d89169dd07280b44bf7d4a805346bf8496f0fc9a956de3fe61455b389
Opcode Fuzzy Hash: 6c34d42647dd20156157549c14d1864d8f6aa9cd5e9d1095c46461d6f802d795
Instruction Fuzzy Hash: 52029B30F442049FDB04AB74D82876E7BA2EF89398F158529E916EB391EF34DC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05E68598 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e0193249c1bd8e0939e62d867dba754539252504165c1fa92bc21dce7a372b
Instruction ID: 3203fe651ea4b0ced4b32f2fac44473c39e6fb64129a251f07c318b4b7a1b5c5
Opcode Fuzzy Hash: 94e0193249c1bd8e0939e62d867dba754539252504165c1fa92bc21dce7a372b
Instruction Fuzzy Hash: 97E10331B086058FDB14DB68C8546BE77F6EF85384F05846AE186DB391DB34DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05E6EB40 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859953ff57cd540fdbdfa58c2c06142e2d69f2c7f32c40fbab1cddd0e0b43d94
Instruction ID: d2900158e759640d07263bc6386f26be13929adad9b53af06674d38eeacfdbd7
Opcode Fuzzy Hash: 859953ff57cd540fdbdfa58c2c06142e2d69f2c7f32c40fbab1cddd0e0b43d94
Instruction Fuzzy Hash: EDD1F174A042088FCB14DF68C854AAEBBFAFF89394F11846AD149DB781DB31EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05E67A70 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f84f151c52481bd86cc512474d13eaa3d7232c1f1345205831f9bf4df5dbcc3
Instruction ID: 85ac6bc6161c15ad15dbcdfbab3406d6621d678f454086af0300acb85eae5bbf
Opcode Fuzzy Hash: 2f84f151c52481bd86cc512474d13eaa3d7232c1f1345205831f9bf4df5dbcc3
Instruction Fuzzy Hash: FEC1823470D7818FE70697649C156A67FB2EB86388F1680E7D184CF393EA68DC0AC761

Uniqueness

Uniqueness Score: -1.00%

Function 05E650B3 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3d99f412a94b13127f4067f2f650ae6b51a8b40c02f5733669221a4e57711c
Instruction ID: 9acc655c0ba97078d8734f0207b5b22c0c763641957814ec09ff6598446a3460
Opcode Fuzzy Hash: ab3d99f412a94b13127f4067f2f650ae6b51a8b40c02f5733669221a4e57711c
Instruction Fuzzy Hash: 02C19B34B452048FDB04DFB8D888AADBBF2EF89288F61846AE406D7355DB34EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05E6B1A0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6a9eb007aca4bff3a6513329a805d7ae670d46b2e254294fc896e7a6685305
Instruction ID: 17c03657890bdd175c8b84f64591633d35ea737d1d7a0e2d36372b1461ca471a
Opcode Fuzzy Hash: fa6a9eb007aca4bff3a6513329a805d7ae670d46b2e254294fc896e7a6685305
Instruction Fuzzy Hash: E0A1CE71A44249DFCF05CFA8C884AEDBBB6FF89390F158156E885EB350D770A855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05E66900 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eba4104d4bc1a7822574a2286602d7d57045794329395e5f910911af4b25eb7
Instruction ID: db09221adcac25a07c20bef79e1d07bbc1ed89196418e15bb868e7574e57ceb1
Opcode Fuzzy Hash: 2eba4104d4bc1a7822574a2286602d7d57045794329395e5f910911af4b25eb7
Instruction Fuzzy Hash: 48814734754104CFCB44EF68D8989ADBBF2EF89358B1184A9E50ADB366DB31EC01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05E66BC9 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df9bcfb1401448ad11b0d9e8014b392a19f59232b4fbbdaf9a9ee3ecb0e2507
Instruction ID: ea0013a400924cc060737d37df8ebe15d6982285d73a5a081f762dc612222de2
Opcode Fuzzy Hash: 9df9bcfb1401448ad11b0d9e8014b392a19f59232b4fbbdaf9a9ee3ecb0e2507
Instruction Fuzzy Hash: 4B619270B501188BEF249BA8C894BBEB7B6FB893D8F115425D485D7381DB39DC418761

Uniqueness

Uniqueness Score: -1.00%

Function 05E65D89 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9121ee197407763b0533a226d1f4b83e00926193f5bde4d759e0ec9e8b1808bb
Instruction ID: 51971b249cd08643e1b72ed4e1793421aebf576f5df4e38431db9c8f0752c321
Opcode Fuzzy Hash: 9121ee197407763b0533a226d1f4b83e00926193f5bde4d759e0ec9e8b1808bb
Instruction Fuzzy Hash: CA61B230B093409FEB0197B8981876E7BE2EBCA248F1580BAD448CB392EF38DC45C751

Uniqueness

Uniqueness Score: -1.00%

Function 05E6AF10 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f578f6e995d4e124f73459a6dd6edf5623549301eada25b79a0d9f081dd04779
Instruction ID: beef424de6433c244158685d60c49104c2d0114a89abf7bc52c3a6c922252e16
Opcode Fuzzy Hash: f578f6e995d4e124f73459a6dd6edf5623549301eada25b79a0d9f081dd04779
Instruction Fuzzy Hash: 4E714934744205CFDB65DF28C898AAE7BEAFF49688F1510A5E852CB3A1DB70DC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05E668E4 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0414281645b24063f4aaee25edd1d74f03c5546a70d32bf3778f2b88aebeca57
Instruction ID: f92f2af5cb59fd769947dd4b70de9da00b916a208218c24f2258e4e8c3c95183
Opcode Fuzzy Hash: 0414281645b24063f4aaee25edd1d74f03c5546a70d32bf3778f2b88aebeca57
Instruction Fuzzy Hash: 36712834754200CFCB44EF68D898969BBF2EF8935871684A9E506CB376DB71EC05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05E6B9C8 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b028bad100b8d2b926726fac5384ace94cff5267ca597ae4daadd336d3e20c
Instruction ID: 059ec7eeb492617e235c4d7f0bc96818cbb0b59d57bfd0b610745c2348c5cd5c
Opcode Fuzzy Hash: 87b028bad100b8d2b926726fac5384ace94cff5267ca597ae4daadd336d3e20c
Instruction Fuzzy Hash: 69617C70E047498FDB11CFA5C540AAEBBF7BF89394F20825AD885EB245E770A945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05E6B9B8 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbe8f741d39bc858e04cf97abb2f5c3e2aab77f10b2b11728134b8393df6c63
Instruction ID: e1cdc551a713109b4279eff506e9a71cba44527b5f6a840cbda7a592eb73460a
Opcode Fuzzy Hash: cdbe8f741d39bc858e04cf97abb2f5c3e2aab77f10b2b11728134b8393df6c63
Instruction Fuzzy Hash: 6F516B70E047498FDB11CFA5C540AEDBBF7BF89384F24825AE885AB245E770A985CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05E6A55C Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edd9ed013164fc401419ece1a94c74aa2fe298c9bcb148d2e4d07ddb7e5c578
Instruction ID: 42717bb711dfe9443aa03b6b5ce6ebd9d9b040c55d39db047a0a77923fc84d03
Opcode Fuzzy Hash: 4edd9ed013164fc401419ece1a94c74aa2fe298c9bcb148d2e4d07ddb7e5c578
Instruction Fuzzy Hash: 65414234F40205CFDB14EB74D81977E7AA6AB88299F148429E846E7790EF74DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05E6B36B Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9de31a727539266348f9e312ebc4c7b1eb142341e8dfc3cb6386628bd9c069
Instruction ID: 2820620aa29db3dce279f8b82ed4db7e0478ab9fc5cc8b6a79a6b71c87c7de29
Opcode Fuzzy Hash: 8d9de31a727539266348f9e312ebc4c7b1eb142341e8dfc3cb6386628bd9c069
Instruction Fuzzy Hash: 2C41CF71A44209DFCF01CFA4C844AEDBBB6BF493D4F019152E895EB291E371D810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05E68368 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a181ca332d6d58fc342731eeca9fbe2e1341e85aa7da7e07392b08f4c504a2a3
Instruction ID: b5367a31238327a3ea8f515ac3a84c822ff75ab93cce1268c7c14bcebc47dcea
Opcode Fuzzy Hash: a181ca332d6d58fc342731eeca9fbe2e1341e85aa7da7e07392b08f4c504a2a3
Instruction Fuzzy Hash: 00319E71B482008BDB04ABB4D9196AE77F7AB88284B508469D406EB395EF34DC41CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05E6B450 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6637cd45d43cd11f23912f5eccb35d051814278954360affd60484272250c4a7
Instruction ID: a910cd6486f2eb35faf0cd557fee1acdd225bd655255d4717310aec73f1ca42e
Opcode Fuzzy Hash: 6637cd45d43cd11f23912f5eccb35d051814278954360affd60484272250c4a7
Instruction Fuzzy Hash: EB3105316482059FDB10CF68C844BAA7BBBAF453D4F0686A6D4D5DB3A2D331E800CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.411973661.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ddd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cfef9543896c71aaf5d0558487fe589c7ec0461d7be9bce1fb9c8a99d335f66
Instruction ID: 4be4010dbe1cd20b167ffb5a5bef4dc1f1bbbcc2e5dacd844a122b1d5cb91a13
Opcode Fuzzy Hash: 2cfef9543896c71aaf5d0558487fe589c7ec0461d7be9bce1fb9c8a99d335f66
Instruction Fuzzy Hash: 532125B1508240DFDF10CF14E9C0B26BB66FB99328F24856AE9094B346C336D856CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.411973661.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ddd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef6ca9795a4c73f052fcac6cf0b3dfb0b13ac6a38c98a2cede6e3b89c098329
Instruction ID: c3d23644fe0a1f1052b71f2f2cabefd223ba3861bb0f92f1e840b4035cbf7477
Opcode Fuzzy Hash: 1ef6ca9795a4c73f052fcac6cf0b3dfb0b13ac6a38c98a2cede6e3b89c098329
Instruction Fuzzy Hash: 4D2122B1508240EFDF00DF54D9C0B26BB66FB98324F24C96AE9494B306C336E846CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DEE3F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.412065580.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ded000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3bdbcee66f66b9a0e6466952791455b625117a9bb297217ae35baa2c9baecc5
Instruction ID: c3ad5492e382fb6f7c0e9d6e655fde308c1fb975436f8462bf28311eeb828937
Opcode Fuzzy Hash: d3bdbcee66f66b9a0e6466952791455b625117a9bb297217ae35baa2c9baecc5
Instruction Fuzzy Hash: 912107B1608280DFDB04EF15D8C4B26BB65FB88714F24C969D9494B386C336D846CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05E6001F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0435cf7c7fc1bcaf1aeee6f258e9142a878e1e34a0d00921fc6483bed8aaef26
Instruction ID: 756bcb85e101cfb6da5ceb9b30b50f705fdc0715edac8bffd71bda0a4c4524de
Opcode Fuzzy Hash: 0435cf7c7fc1bcaf1aeee6f258e9142a878e1e34a0d00921fc6483bed8aaef26
Instruction Fuzzy Hash: 91113A31F492249FEB119F64C44966E77A3EFC61E4F19C4A9C4855F302E7319C42C796

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.411973661.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ddd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cb3e44370515572fb733351235636ff71e6e31c7d1222fc57b3ac88bc4a795
Instruction ID: 9ae896d2e5cab2ad2664299b8aa687bda02b7d362e8a62f868adecf78e5acd67
Opcode Fuzzy Hash: f3cb3e44370515572fb733351235636ff71e6e31c7d1222fc57b3ac88bc4a795
Instruction Fuzzy Hash: 3511D376404280DFDF11CF14D9C4B16BF72FB95324F2886AAD8054B756C33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.411973661.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ddd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cb3e44370515572fb733351235636ff71e6e31c7d1222fc57b3ac88bc4a795
Instruction ID: 20033ec17bae86ac02ffaa68bef27af5ccd906b3fe9b09a0f06b4ed5d7ef2266
Opcode Fuzzy Hash: f3cb3e44370515572fb733351235636ff71e6e31c7d1222fc57b3ac88bc4a795
Instruction Fuzzy Hash: 77119D76404280DFDF11CF14D9C4B16BF62FB94324F28C6AAD8484A616C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E68E88 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be75495d86a4aaa1b54fb7fc7307adfc27afcd6a745fdc3e3cfe1ecf5af3f93e
Instruction ID: 78aa5cbd281e81fac81ae40a5ba76cb5ec8c9ed4ebfd0f8581be5a64bc630bd4
Opcode Fuzzy Hash: be75495d86a4aaa1b54fb7fc7307adfc27afcd6a745fdc3e3cfe1ecf5af3f93e
Instruction Fuzzy Hash: 77F012353842148FD708DB2AE954D2A37EAFFC9A957054469F506CB361DE71EC018750

Uniqueness

Uniqueness Score: -1.00%

Function 05E68E79 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421be005fdab815a4ce87e39516e1dd3986930a5ad9201587fb8ffa5b820c5c7
Instruction ID: 695a0f189c1fa5f43969e5e46a76a67ef1de8dff6a25370dce9656d3c4482615
Opcode Fuzzy Hash: 421be005fdab815a4ce87e39516e1dd3986930a5ad9201587fb8ffa5b820c5c7
Instruction Fuzzy Hash: 52F082353842048FE7089B29E964B2937E6EFC96D5B0640A8E946CB3B0DA71EC01C750

Uniqueness

Uniqueness Score: -1.00%

Function 05E68E50 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.423422264.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f221101199ef8b210fcad0f822ad9c6caada9478bf85f594fa3feb2cfc48af
Instruction ID: a080245780842c71b71e26f13a64413412dd6e37e3c2db3f8630cee3445ddd3a
Opcode Fuzzy Hash: c9f221101199ef8b210fcad0f822ad9c6caada9478bf85f594fa3feb2cfc48af
Instruction Fuzzy Hash: 23D01231B4993987165971ADA8109ED37DA97899F57001416D4898BB40DF65DC4143C9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PURCHASE ORDER.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAyWOGoRT.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASE ORDER.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yGbzOMp.exe.log

C:\Users\user\AppData\Local\Temp\tmp6AED.tmp

C:\Users\user\AppData\Local\Temp\tmpF89B.tmp

C:\Users\user\AppData\Roaming\PAyWOGoRT.exe

C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
PURCHASE ORDER.exe

Function 031C65A9 Relevance: 38.5, Strings: 29, Instructions: 2298
COMMON

Function 031C65B8 Relevance: 38.5, Strings: 29, Instructions: 2292
COMMON

Function 01553D9D Relevance: 2.8, Strings: 2, Instructions: 302
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre