Edit tour

Windows Analysis Report
Purchase Order For Linear Actuator.exe

Overview

General Information

Sample name:	Purchase Order For Linear Actuator.exe
Analysis ID:	1539654
MD5:	d976a78b2d4808b87477685a86d5a876
SHA1:	050837857db80be506f890bb82dfb4809436aff2
SHA256:	ced54118236fb8dc881c3bd56f115cd557718c17cc585e859a725ccb4f3e6e60
Tags:	AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Disables UAC (registry)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Purchase Order For Linear Actuator.exe (PID: 2276 cmdline: "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" MD5: D976A78B2D4808B87477685A86D5A876)

powershell.exe (PID: 6008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

InstallUtil.exe (PID: 1132 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

WerFault.exe (PID: 5676 cmdline: C:\Windows\system32\WerFault.exe -u -p 2276 -s 1256 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.4594266186.00000000031BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2192633166.00000250DDC00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2192633166.00000250DDC00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4592709113.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4592709113.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4594266186.0000000003191000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4594266186.0000000003191000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Purchase Order For Linear Actuator.exe PID: 2276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order For Linear Actuator.exe PID: 2276	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Purchase Order For Linear Actuator.exe PID: 2276	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Purchase Order For Linear Actuator.exe PID: 2276	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: InstallUtil.exe PID: 1132	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 1132	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31769:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31885:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31961:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a87:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33569:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33685:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33761:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33887:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33569:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33685:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33761:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33887:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31769:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31885:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31961:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a87:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df3f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33569:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfb1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e03b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33685:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0cd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e137:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33761:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1a9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e23f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33887:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2cf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe", ParentImage: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe, ParentProcessId: 2276, ParentProcessName: Purchase Order For Linear Actuator.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" -Force, ProcessId: 6008, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 1132, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49713

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe", ParentImage: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe, ParentProcessId: 2276, ParentProcessName: Purchase Order For Linear Actuator.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" -Force, ProcessId: 6008, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Purchase Order For Linear Actuator.exe

Avira: detected

Found malware configuration

Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Multi AV Scanner detection for submitted file

Source: Purchase Order For Linear Actuator.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Purchase Order For Linear Actuator.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order For Linear Actuator.exe PID: 2276, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49710 version: TLS 1.2

Source: Purchase Order For Linear Actuator.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb* source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Purchase Order For Linear Actuator.PDB@^ source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191056508.000000BA60EF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbr\Ap`Rv a source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb' source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb6R source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbhT source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb0 source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbd@ source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbPV source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4C70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbs source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Purchase Order For Linear Actuator.PDB source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191056508.000000BA60EF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Purchase Order For Linear Actuator.PDB source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbHJ source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191056508.000000BA60EF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191495229.00000250CAA3C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: pC:\Users\user\Desktop\Purchase Order For Linear Actuator.PDB source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191056508.000000BA60EF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp, WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbphic Provider source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Management.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: Purchase Order For Linear Actuator.PDB source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191056508.000000BA60EF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe1629843\objr\x86\Microsoft.VisualBasic.pdb" source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbP source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191495229.00000250CAA90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdbH source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbard.}^!# source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4C70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER86B7.tmp.dmp.7.dr

Source: Joe Sandbox View	IP Address: 46.175.148.58 46.175.148.58
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.6:49713 -> 46.175.148.58:25

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.iaa-airferight.com

Source: InstallUtil.exe, 00000004.00000002.4594266186.00000000031BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.iaa-airferight.com
Source: InstallUtil.exe, 00000004.00000002.4594266186.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2192633166.00000250DDC00000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.4592709113.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2192633166.00000250DDC00000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.4594266186.0000000003141000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.4592709113.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: InstallUtil.exe, 00000004.00000002.4594266186.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: InstallUtil.exe, 00000004.00000002.4594266186.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49710 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, abAX9N.cs	.Net Code: BFeixnEv
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.raw.unpack, abAX9N.cs	.Net Code: BFeixnEv

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order For Linear Actuator.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD344335F0	0_2_00007FFD344335F0
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD34433740	0_2_00007FFD34433740
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD34437EE8	0_2_00007FFD34437EE8
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD34432718	0_2_00007FFD34432718
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD3443A858	0_2_00007FFD3443A858
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD3443B011	0_2_00007FFD3443B011
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD34437960	0_2_00007FFD34437960
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD34443B5C	0_2_00007FFD34443B5C
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD3443DB99	0_2_00007FFD3443DB99
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD3443AC30	0_2_00007FFD3443AC30
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD34430BE9	0_2_00007FFD34430BE9
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD34431CC0	0_2_00007FFD34431CC0
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD3443169D	0_2_00007FFD3443169D
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD34438EA9	0_2_00007FFD34438EA9
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD344360C5	0_2_00007FFD344360C5
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD34438260	0_2_00007FFD34438260
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD34439A9C	0_2_00007FFD34439A9C
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD34443BA9	0_2_00007FFD34443BA9
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD344393DC	0_2_00007FFD344393DC
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD34443439	0_2_00007FFD34443439
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD345011DB	0_2_00007FFD345011DB
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD3450026B	0_2_00007FFD3450026B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_02F64A98	4_2_02F64A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_02F6A968	4_2_02F6A968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_02F63E80	4_2_02F63E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_02F641C8	4_2_02F641C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_02F6F8A5	4_2_02F6F8A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05C4E0C8	4_2_05C4E0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05C445A0	4_2_05C445A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05C43D70	4_2_05C43D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05C43578	4_2_05C43578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05C45650	4_2_05C45650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_05C40AB8	4_2_05C40AB8

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2276 -s 1256

Source: Purchase Order For Linear Actuator.exe

Static PE information: No import functions for PE file found

Source: Purchase Order For Linear Actuator.exe, 00000000.00000000.2122514681.00000250CA732000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNewcastle.exe4 vs Purchase Order For Linear Actuator.exe
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191790746.00000250CAB20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUmofumoqeD vs Purchase Order For Linear Actuator.exe
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2192633166.00000250DDC00000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs Purchase Order For Linear Actuator.exe
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2192633166.00000250DC367000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUmofumoqeD vs Purchase Order For Linear Actuator.exe
Source: Purchase Order For Linear Actuator.exe	Binary or memory string: OriginalFilenameNewcastle.exe4 vs Purchase Order For Linear Actuator.exe

Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, RsYAkkzVoy.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, Kqqzixk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, xROdzGigX.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, ywes.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, iPVW0zV.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, 1Pi9sgbHwoV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191495229.00000250CAA3C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@7/10@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2276

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnibpavs.41c.ps1

Jump to behavior

Source: Purchase Order For Linear Actuator.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Purchase Order For Linear Actuator.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe

File read: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe"
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2276 -s 1256
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Purchase Order For Linear Actuator.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Purchase Order For Linear Actuator.exe

Static file information: File size 3677748 > 1048576

Source: Purchase Order For Linear Actuator.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb* source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Purchase Order For Linear Actuator.PDB@^ source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191056508.000000BA60EF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbr\Ap`Rv a source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb' source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb6R source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbhT source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb0 source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbd@ source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbPV source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4C70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbs source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Purchase Order For Linear Actuator.PDB source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191056508.000000BA60EF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Purchase Order For Linear Actuator.PDB source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbHJ source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191056508.000000BA60EF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191495229.00000250CAA3C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: pC:\Users\user\Desktop\Purchase Order For Linear Actuator.PDB source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191056508.000000BA60EF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp, WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbphic Provider source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Management.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: Purchase Order For Linear Actuator.PDB source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191056508.000000BA60EF3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe1629843\objr\x86\Microsoft.VisualBasic.pdb" source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4CE2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbP source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191495229.00000250CAA90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdbH source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbard.}^!# source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2193967139.00000250E4C70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER86B7.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER86B7.tmp.dmp.7.dr

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD34437195 push edx; retf	0_2_00007FFD344372FB
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD344300BD pushad ; iretd	0_2_00007FFD344300C1
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Code function: 0_2_00007FFD3450026B push esp; retf 4810h	0_2_00007FFD34500312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_02F60C45 push ebx; retf	4_2_02F60C52

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (31).png

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Purchase Order For Linear Actuator.exe PID: 2276, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC3A8000.00000004.00000800.00020000.00000000.sdmp, Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC3A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Memory allocated: 250CA9B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Memory allocated: 250E4360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sys	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	File opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7118	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2415	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3509	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6349	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1408	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6548	Thread sleep count: 3509 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -99840s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -99718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -99609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6548	Thread sleep count: 6349 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -99390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -99281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -99170s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -99058s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -98844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -98515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -98402s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -98296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -98186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -97968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -97857s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -97746s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -97641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -97313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -97094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -96875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -96766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -96656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -96547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -96437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -96219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -96000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -95890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -95781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -95672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -95562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -95343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -95234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -95125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -95016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -94906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -94797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -94687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5764	Thread sleep time: -94578s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99840	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99170	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99058	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98402	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98186	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97857	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97746	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 94578	Jump to behavior

Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC3A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QEMUP
Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC3A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC3A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC3A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREP
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC3A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREPYN4
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC3A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareP
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC3A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC3A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC3A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIP
Source: InstallUtil.exe, 00000004.00000002.4596639023.0000000006440000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC3A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Purchase Order For Linear Actuator.exe, 00000000.00000002.2191912651.00000250CC3A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Purchase Order For Linear Actuator.exe, ------------.cs	Reference to suspicious API methods: GetProcAddress(_06E7, _FDFC)
Source: Purchase Order For Linear Actuator.exe, ------------.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)_FBB3_06D4.Length, 64u, out var __0606_FBB6_FDE3_FD44_06ED_FDFE_FDE6)
Source: Purchase Order For Linear Actuator.exe, ------------.cs	Reference to suspicious API methods: LoadLibrary(_FBCC(0, ))
Source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, DWQSVyCYV.cs	Reference to suspicious API methods: uJn9vmw.OpenProcess(_9bBuo4xIRNG.DuplicateHandle, bInheritHandle: true, (uint)lKyMoD2.ProcessID)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" -Force
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" -Force			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: E1E008	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" -Force			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe	Queries volume information: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4594266186.00000000031BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2192633166.00000250DDC00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4592709113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4594266186.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order For Linear Actuator.exe PID: 2276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1132, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2192633166.00000250DDC00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4592709113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4594266186.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order For Linear Actuator.exe PID: 2276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1132, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Linear Actuator.exe.250ddc761f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order For Linear Actuator.exe.250ddc3b7b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4594266186.00000000031BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2192633166.00000250DDC00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4592709113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4594266186.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order For Linear Actuator.exe PID: 2276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1132, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	211 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	1 Credentials in Registry	341 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	21 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	261 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Purchase Order For Linear Actuator.exe	50%	ReversingLabs	ByteCode-MSIL.Trojan.AntiSandbox
Purchase Order For Linear Actuator.exe	100%	Avira	TR/AD.GenSteal.giydu
Purchase Order For Linear Actuator.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.iaa-airferight.com	46.175.148.58	true	true		unknown
api.ipify.org	104.26.13.205	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	Purchase Order For Linear Actuator.exe, 00000000.00000002.2192633166.00000250DDC00000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.4594266186.0000000003141000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.4592709113.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown
https://account.dyn.com/	Purchase Order For Linear Actuator.exe, 00000000.00000002.2192633166.00000250DDC00000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.4592709113.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	InstallUtil.exe, 00000004.00000002.4594266186.0000000003141000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	InstallUtil.exe, 00000004.00000002.4594266186.0000000003141000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.iaa-airferight.com	InstallUtil.exe, 00000004.00000002.4594266186.00000000031BC000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.175.148.58	mail.iaa-airferight.com	Ukraine		56394	ASLAGIDKOM-NETUA	true
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1539654
Start date and time:	2024-10-22 23:54:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Purchase Order For Linear Actuator.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@7/10@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 71 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Purchase Order For Linear Actuator.exe

Simulations

Behavior and APIs

Time	Type	Description
17:55:00	API Interceptor	19x Sleep call for process: powershell.exe modified
17:55:02	API Interceptor	12463193x Sleep call for process: InstallUtil.exe modified
17:55:04	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.175.148.58	PO FOR CONNECTOR WITH TERMINAL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	New PO-Auras Demand.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exe	Get hash	malicious	AgentTesla	Browse
	New Purchase Order 568330.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.20380.30925.exe	Get hash	malicious	AgentTesla	Browse
	rrpC2ZDgUd.exe	Get hash	malicious	AgentTesla	Browse
	92ZZIUHzPQ.exe	Get hash	malicious	AgentTesla	Browse
	BNF5Z6GuGw.exe	Get hash	malicious	AgentTesla	Browse
	cvRkgDx2mc.exe	Get hash	malicious	AgentTesla	Browse
	Iw7mPc6fCG.exe	Get hash	malicious	AgentTesla	Browse
104.26.13.205	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.iaa-airferight.com	PO FOR CONNECTOR WITH TERMINAL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	46.175.148.58
	New PO-Auras Demand.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	New Purchase Order 568330.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SecuriteInfo.com.Win32.PWSX-gen.20380.30925.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	rrpC2ZDgUd.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	92ZZIUHzPQ.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	BNF5Z6GuGw.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	cvRkgDx2mc.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Iw7mPc6fCG.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
api.ipify.org	Play_VoiceMsg_mchee@eq3.com_{RANDOM_NUMBER5}CQDM.html	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.13.205
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse	104.26.12.205
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse	172.67.74.152
	MlGBT3hUEG.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	FZCO - PO#12345.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Ref#150689.vbe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	PO FOR CONNECTOR WITH TERMINAL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	PO 0039499059996600 dtated 10222024.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	DHL.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASLAGIDKOM-NETUA	PO FOR CONNECTOR WITH TERMINAL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	46.175.148.58
	New PO-Auras Demand.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	New Purchase Order 568330.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SecuriteInfo.com.Win32.PWSX-gen.20380.30925.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	rrpC2ZDgUd.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	92ZZIUHzPQ.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	BNF5Z6GuGw.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	cvRkgDx2mc.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Iw7mPc6fCG.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
CLOUDFLARENETUS	Play_VoiceMsg_mchee@eq3.com_{RANDOM_NUMBER5}CQDM.html	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.13.205
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse	104.26.12.205
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse	172.67.74.152
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	Iccusa_Receipt.zip	Get hash	malicious	Unknown	Browse	188.114.96.3
	FINAL SETTLEMENT DOCUMENT_ LIEN WAVER DURATION- 57185f7898fa8b51ebd3deed1492e65365186c19.eml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://humorous-tiger-mdjc51.mystrikingly.com/share	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://email.email.pandadoc.net/c/eJxUkMtu2zoQhp9G3NkQhxQlLbRIjo8QpKjRS5qi3QTD4TCmZYuyRNm1nr4w0PSyGwzmG3z_7xprlPWVcJHmI_fpJbjmguOnLn78cm0vTw-4fw8_dttdENzIEmoji9oYsWsAtST2VKmiVOSoJqdyVNYa9pUnKUIDOWiZA0hTgDZrUNoXnphIopaly3TORwyH9YC9Qxdp3XMSYXpJIxKjPXCTxpnFodmlNEyZusugzaDFYfiDUDxm0L7pZ9CeIVNtih33mdpIlF4hGzaGIM8ta2mV83UNlbFYlJCbQhsoM9WKPqbgA2EKsb_VACXX1jKtlM9hpQHcqiKvVsZXuvB16WTBIo6v2IflN7T_8Ly_7-p6G_bz4wbM8n1Sp6MYG7ePPU-Zzu186Pg0H4abuhj5HKZfrF4mPLvT5vndMpR0h183E0MpUvOW7q9xlXB85X820-3i3IC4xLGbBiS-Pf3v-o2eUuge_l-21bG_2vt-fvz8MwAA__9XraZ6	Get hash	malicious	Unknown	Browse	104.18.86.42
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.53.8
	https://u47466077.ct.sendgrid.net/ls/click?upn=u001.UMdxVMkb1VX-2BSXmtpMtK82JjAEsu0ALWxL56w0aqjY7gO2PQAp-2BHlpc2oHbxXqj96ytu9xZ3C-2Fcc7TYscckKittsHzuWk7oZ3yaOKtJMNc8-3DRsvZ_dbL1OaRcFhqC5DXhStX0pOfbUZAVayn7H9CSqXbkr4AEsrYhI8sxSoDstGnKE3nSaek5kwmHaFG3atrVJND0eFScLCv5QNKy0pTk284nu-2BxN1xL46pFdl1yW-2FGBCKHiHI0gjIrdVFOC2h7jkJO2cxfog84YKROP-2B-2BdA0OdnQh5hGxm6YRf05P7iW5UMx11N0ueP-2F2UiL6g2UC0lWPIMYJ182aZQJ-2Fm9GZ4c44stqB0DO8b-2FrPustgC-2Bh1gTE6-2FFNjzbLBZ0hYrZFIWaYHhsZOERflLIIJfjns6vznBL04sQ8kMuJWeeDmdiHffjbA78LTMXrOOTBnUAoQcgbX3o0ZtWjUtGmNb9u0iM25SXUz96JzBOXLTGWbmLHm73izq-2Bzm3dZ9Kvjve6nPZ60tYFPWo2cWQphx7VgLLG3ll4SLBhG0ZcCfFkVwc-2FaGk1f1iuKH-2B72D6eiAuGg1eCU6ru5F8i98Fg5H2jc-2FMmRZrSbwbeiZq6a-2BFuZLyQ0fAg94tZM61XKFFZZXXADlVrgbk2MpZ005zWxPadL7TkllIWWdASBZrc-2Fl67KTNAHqzHJQHKksVxPkpV-2FmYSLF6l3YkJ3VquJDXkKuGuNb9N0We4mGIxkvHU8m0L-2F5Q9xYL2gkjk6O3RjflxLNK0tJUOq6NRS1wUVMB0YNfkTFKZVNcjX8SF-2FJKqRMROsF93K-2BKBpcamWaR-2FMXpesIJiR1UxONob5nT0UhpWXavZ-2BD8eS6npJr3AFISjiypSnZtPUcbtuXDo-2BMWjE8H-2FZDFwMVLf9J0psBAe-2FndX9LVBZzEVTuz4yTF6SNg9wztt9z8C-2FgjqLM92b3dYtqP4rqn3iuwDWxbETM3Pdy5CqS9ymWqJJBtBJW7b7HkFr-2BjPkTcrmOtesM-2Fiw	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://www.figma.com/proto/9VPPM7CSCzCr9R0IyrbHb3/Continue-to-document?node-id=1-2&node-type=frame&t=TLXLjdBW9vQs7So6-1&scaling=min-zoom&content-scaling=fixed&page-id=0%3A1&starting-point-node-id=1%3A2&share=1	Get hash	malicious	Unknown	Browse	104.26.13.205
	NEW ORDER QUOTATION REQUEST.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	https://email.email.pandadoc.net/c/eJxUkMtu2zoQhp9G3NkQhxQlLbRIjo8QpKjRS5qi3QTD4TCmZYuyRNm1nr4w0PSyGwzmG3z_7xprlPWVcJHmI_fpJbjmguOnLn78cm0vTw-4fw8_dttdENzIEmoji9oYsWsAtST2VKmiVOSoJqdyVNYa9pUnKUIDOWiZA0hTgDZrUNoXnphIopaly3TORwyH9YC9Qxdp3XMSYXpJIxKjPXCTxpnFodmlNEyZusugzaDFYfiDUDxm0L7pZ9CeIVNtih33mdpIlF4hGzaGIM8ta2mV83UNlbFYlJCbQhsoM9WKPqbgA2EKsb_VACXX1jKtlM9hpQHcqiKvVsZXuvB16WTBIo6v2IflN7T_8Ly_7-p6G_bz4wbM8n1Sp6MYG7ePPU-Zzu186Pg0H4abuhj5HKZfrF4mPLvT5vndMpR0h183E0MpUvOW7q9xlXB85X820-3i3IC4xLGbBiS-Pf3v-o2eUuge_l-21bG_2vt-fvz8MwAA__9XraZ6	Get hash	malicious	Unknown	Browse	104.26.13.205
	Q110450 SV51179-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	https://t.ly/HTVUP	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.26.13.205
	https://email.email.pandadoc.net/c/eJxUkMtu2zoQhp9G3NkQhxQlLbRIjo8QpKjRS5qi3QTD4TCmZYuyRNm1nr4w0PSyGwzmG3z_7xprlPWVcJHmI_fpJbjmguOnLn78cm0vTw-4fw8_dttdENzIEmoji9oYsWsAtST2VKmiVOSoJqdyVNYa9pUnKUIDOWiZA0hTgDZrUNoXnphIopaly3TORwyH9YC9Qxdp3XMSYXpJIxKjPXCTxpnFodmlNEyZusugzaDFYfiDUDxm0L7pZ9CeIVNtih33mdpIlF4hGzaGIM8ta2mV83UNlbFYlJCbQhsoM9WKPqbgA2EKsb_VACXX1jKtlM9hpQHcqiKvVsZXuvB16WTBIo6v2IflN7T_8Ly_7-p6G_bz4wbM8n1Sp6MYG7ePPU-Zzu186Pg0H4abuhj5HKZfrF4mPLvT5vndMpR0h183E0MpUvOW7q9xlXB85X820-3i3IC4xLGbBiS-Pf3v-o2eUuge_l-21bG_2vt-fvz8MwAA__9XraZ6	Get hash	malicious	Unknown	Browse	104.26.13.205
	MlGBT3hUEG.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	cgqdM4IA7C.exe	Get hash	malicious	XWorm	Browse	104.26.13.205
	NxR7UQaeKe.exe	Get hash	malicious	XWorm	Browse	104.26.13.205
	https://www.instagram.com/reel/DBWVgoCoDqq/?igsh=aXdnZTl2NGIwdXN5	Get hash	malicious	Unknown	Browse	104.26.13.205

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_X00GI2RPISPKZHNF_fdea285d2efd4e31cd11be78abb91d9fb6fd2efe_b95f701e_8526e9a2-c9a0-4f6c-a7e7-ba3042745614\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2657491510900574
Encrypted:	false
SSDEEP:	192:vuj1nAsW2i0v5zXa+B2ptv4oWIzuiFYZ24lO83d:oCsvv5zXae2pd/zuiFYY4lO83d
MD5:	6AF0A2CE5334C3B18D4A5B7CFF36B51C
SHA1:	DACF9AFBA4A6BA1505DC815EFE81E9C09F3B076E
SHA-256:	215D77E0F1FBEF10CB01AE46DE59BFAB3A5B1AF9CAEC8837FFE127F9FB67443E
SHA-512:	D0AB9FA8AE40C2F96D8887BC37678EA3262FC3AB624F0FF3F0375F08202AC4122400E5F36CE08E1C69EB626F14DB61B3B62410C40459A9867680F01F132F3417
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.1.0.7.7.0.0.2.6.2.8.5.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.1.0.7.7.0.0.9.6.5.9.7.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.2.6.e.9.a.2.-.c.9.a.0.-.4.f.6.c.-.a.7.e.7.-.b.a.3.0.4.2.7.4.5.6.1.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.a.3.d.1.e.9.-.f.c.e.a.-.4.b.f.5.-.9.2.1.7.-.9.4.e.8.2.5.1.9.b.f.0.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.P.u.r.c.h.a.s.e. .O.r.d.e.r. .F.o.r. .L.i.n.e.a.r. .A.c.t.u.a.t.o.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.N.e.w.c.a.s.t.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.e.4.-.0.0.0.1.-.0.0.1.5.-.9.e.4.5.-.d.e.0.8.c.d.2.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.8.5.2.7.3.1.6.0.2.5.e.0.6.3.1.9.b.5.6.c.d.2.5.7.e.a.b.9.7.8.5.0.0.0.0.0.0.0.0.!.0.0.0.0.0.5.0.8.3.7.8.5.7.d.b.8.0.b.e.5.0.6.f.8.9.0.b.b.8.2.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86B7.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Tue Oct 22 21:55:00 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	478800
Entropy (8bit):	3.2842666089030255
Encrypted:	false
SSDEEP:	3072:kZIRiqXDvjDbMCegFB3+v3uInw4LvBMRCpdxFGcSHAhfReSuG1CCqH:OIRnDorI3QejM7di4Zdpq
MD5:	EC95F9F71E95BC1BFE482269ECB83312
SHA1:	AA70306D745308CF94F2EEFC94A4CFE2F647F69E
SHA-256:	59F7FA8589B3CAB776B41FCD87F8C379F7603FFD0747F8D520FB9E1FF3D3AF0E
SHA-512:	0AC732C03DC249BDF70843F391BD0BE5C73026BDBD2F99EC5F582D154A3501DD2B1E100419CFB16ADEE02D475C3FA97285D93F9D4524C4F08D94F173319DD6B7
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......4..g............t.......................$...<)....... ..`)......dT..............l.......8...........T...........(=..(............I...........K..............................................................................eJ......hL......Lw......................T...........1..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER889D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8710
Entropy (8bit):	3.7127226564800244
Encrypted:	false
SSDEEP:	192:R6l7wVeJETu9r6Y2DOC9vgmfZnKyipr789bEXwfX0sm:R6lXJB9r6YjWvgmfQyrEAfG
MD5:	DA3F52078B5794C3E59F4ED28B17E522
SHA1:	CCA03B0320AC001C87BB2D268271256EB85DC199
SHA-256:	564B58F4B17B55BD4E8CE798C0919405A0ADD633753E67E969CE897263EB288D
SHA-512:	F0FDA70A6B930276D5D79810A6ADD423FEC0E24C0D07DC9A08E1E52959FA3CFDE31C663BCE72B4996ABE91972189898E7CAA6BE980CFB54ECAD4BDEF13B7F701
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88CC.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4925
Entropy (8bit):	4.568222027953601
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZuJg771I9kPWpW8VY4Ym8M4JwNIE6FOoyq8v1EyxIbSChHWCJd:uIjfZkI7Le7VwJwrOWOy2hTJd
MD5:	436C3A413C6C79FFB288EBCDF3B1E605
SHA1:	431ED78128D8C158ED063CB99DEFCA34F8409E24
SHA-256:	E2B8B7A8268D796BA468CE1795C24B9EF9020BCB5FDB358935ACFA7BADE1C6D2
SHA-512:	C4FB218522196F6DA341F6914B7C013DE973955645D5794FADB2520982438ECF6CB9E387C8CCA2700FAE488E9028C4B7A260C412E631D0B98A9FC561C4F6A3DB
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="555177" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ozq5p4p.g35.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccqeqfob.3ns.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hdqlvqun.rya.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnibpavs.41c.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4689397892193075
Encrypted:	false
SSDEEP:	6144:IzZfpi6ceLPx9skLmb0fmZWSP3aJG8nAgeiJRMMhA2zX4WABluuNkjDH5S:eZHtmZWOKnMM6bFp+j4
MD5:	6CF0763F3454B75C8223D9B763E86A42
SHA1:	8E481A4B7398015C691191492475A7C0A37D09AA
SHA-256:	D5E1AC0DD1B4495C3CCCA4B78D2676E141DBD91C6B3493F1CECEDB6DA662A10E
SHA-512:	43910BBB00EF38B691E9233241AEB5DB20996DA11B8C842B1825D246F1F85B155A586D3C6EFBAA77FF050BD2FB9EF8E5131146F0D672BF1F67D3817EDA022BE4
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...$................................................................................................................................................................................................................................................................................................................................................>........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.510821484690367
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Purchase Order For Linear Actuator.exe
File size:	3'677'748 bytes
MD5:	d976a78b2d4808b87477685a86d5a876
SHA1:	050837857db80be506f890bb82dfb4809436aff2
SHA256:	ced54118236fb8dc881c3bd56f115cd557718c17cc585e859a725ccb4f3e6e60
SHA512:	ac901b9d5cf11561b84248b6568e0235ca2948112aa248516acd05a82d43b745ffce704b2fdea1a1c7b3273e4e7d3fc17cfd52723f175ddb20bbbfdba702b1ac
SSDEEP:	12288:lP7r9r/+ppppppppppppppppppppppppppppp0GZnIMJZs28K+nwZ1Kyo5vR3tyc:l1qZnTZs++nwZYtdyN7mQvSJ0bOSOV3P
TLSH:	AE06CF81B5471D93FC099630D5E6B9F142FE6DAB78F4541FDF893D262ABA2BE1021032
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.........."...0..7...N........... ....@...... ................................8...`................................

File Icon


Icon Hash:	c5a684988c94a0c5

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6715B9B6 [Mon Oct 21 02:17:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x34f16	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3712	0x3800	1f6c1f98b3d5f442eabf4a8e3ffa3580	False	0.6359514508928571	data	6.281676514117558	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x34f16	0x35000	df65da1d42f50428dfb73c9bd6281d68	False	0.20986420253537735	data	4.437395896706229	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x6474	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	0.3225609756097561
RT_ICON	0x6adc	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	0.43951612903225806
RT_ICON	0x6dc4	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	0.4016393442622951
RT_ICON	0x6fac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	0.4831081081081081
RT_ICON	0x70d4	0x35e0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9907192575406032
RT_ICON	0xa6b4	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.4584221748400853
RT_ICON	0xb55c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.47382671480144406
RT_ICON	0xbe04	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.45564516129032256
RT_ICON	0xc4cc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.3504335260115607
RT_ICON	0xca34	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.07868508221933042
RT_ICON	0x1d25c	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.15114568005045195
RT_ICON	0x26704	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	0.1543233082706767
RT_ICON	0x2ceec	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.175184842883549
RT_ICON	0x32374	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.15948275862068967
RT_ICON	0x3659c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.24107883817427386
RT_ICON	0x38b44	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.2678236397748593
RT_ICON	0x39bec	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.37459016393442623
RT_ICON	0x3a574	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.42819148936170215
RT_GROUP_ICON	0x3a9dc	0x102	data	0.6046511627906976
RT_VERSION	0x3aae0	0x24c	data	0.46598639455782315
RT_MANIFEST	0x3ad2c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 22, 2024 23:55:01.164896965 CEST	49710	443	192.168.2.6	104.26.13.205
Oct 22, 2024 23:55:01.164956093 CEST	443	49710	104.26.13.205	192.168.2.6
Oct 22, 2024 23:55:01.165018082 CEST	49710	443	192.168.2.6	104.26.13.205
Oct 22, 2024 23:55:01.197916031 CEST	49710	443	192.168.2.6	104.26.13.205
Oct 22, 2024 23:55:01.197952986 CEST	443	49710	104.26.13.205	192.168.2.6
Oct 22, 2024 23:55:01.829332113 CEST	443	49710	104.26.13.205	192.168.2.6
Oct 22, 2024 23:55:01.829515934 CEST	49710	443	192.168.2.6	104.26.13.205
Oct 22, 2024 23:55:01.831832886 CEST	49710	443	192.168.2.6	104.26.13.205
Oct 22, 2024 23:55:01.831847906 CEST	443	49710	104.26.13.205	192.168.2.6
Oct 22, 2024 23:55:01.832272053 CEST	443	49710	104.26.13.205	192.168.2.6
Oct 22, 2024 23:55:01.879082918 CEST	49710	443	192.168.2.6	104.26.13.205
Oct 22, 2024 23:55:01.919369936 CEST	49710	443	192.168.2.6	104.26.13.205
Oct 22, 2024 23:55:01.967336893 CEST	443	49710	104.26.13.205	192.168.2.6
Oct 22, 2024 23:55:02.103161097 CEST	443	49710	104.26.13.205	192.168.2.6
Oct 22, 2024 23:55:02.103363037 CEST	443	49710	104.26.13.205	192.168.2.6
Oct 22, 2024 23:55:02.103435993 CEST	49710	443	192.168.2.6	104.26.13.205
Oct 22, 2024 23:55:02.109734058 CEST	49710	443	192.168.2.6	104.26.13.205
Oct 22, 2024 23:55:03.063517094 CEST	49713	25	192.168.2.6	46.175.148.58
Oct 22, 2024 23:55:04.156572104 CEST	49713	25	192.168.2.6	46.175.148.58
Oct 22, 2024 23:55:06.160341978 CEST	49713	25	192.168.2.6	46.175.148.58
Oct 22, 2024 23:55:10.176060915 CEST	49713	25	192.168.2.6	46.175.148.58
Oct 22, 2024 23:55:18.176177025 CEST	49713	25	192.168.2.6	46.175.148.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 22, 2024 23:55:01.152333021 CEST	64061	53	192.168.2.6	1.1.1.1
Oct 22, 2024 23:55:01.160263062 CEST	53	64061	1.1.1.1	192.168.2.6
Oct 22, 2024 23:55:03.049778938 CEST	52218	53	192.168.2.6	1.1.1.1
Oct 22, 2024 23:55:03.062427998 CEST	53	52218	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 22, 2024 23:55:01.152333021 CEST	192.168.2.6	1.1.1.1	0x179c	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Oct 22, 2024 23:55:03.049778938 CEST	192.168.2.6	1.1.1.1	0x513c	Standard query (0)	mail.iaa-airferight.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 22, 2024 23:55:01.160263062 CEST	1.1.1.1	192.168.2.6	0x179c	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Oct 22, 2024 23:55:01.160263062 CEST	1.1.1.1	192.168.2.6	0x179c	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Oct 22, 2024 23:55:01.160263062 CEST	1.1.1.1	192.168.2.6	0x179c	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Oct 22, 2024 23:55:03.062427998 CEST	1.1.1.1	192.168.2.6	0x513c	No error (0)	mail.iaa-airferight.com	46.175.148.58	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	104.26.13.205	443	1132	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 21:55:01 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-10-22 21:55:02 UTC	211	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 21:55:02 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8d6cbab16c3d466b-DFW
2024-10-22 21:55:02 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 Data Ascii: 173.254.250.76

Target ID:	0
Start time:	17:54:57
Start date:	22/10/2024
Path:	C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe"
Imagebase:	0x250ca730000
File size:	3'677'748 bytes
MD5 hash:	D976A78B2D4808B87477685A86D5A876
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2191912651.00000250CC379000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2192633166.00000250DDC00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2192633166.00000250DDC00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:54:59
Start date:	22/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Purchase Order For Linear Actuator.exe" -Force
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:54:59
Start date:	22/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:54:59
Start date:	22/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Imagebase:	0xd40000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4594266186.00000000031BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4592709113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4592709113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4594266186.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4594266186.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	17:55:00
Start date:	22/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2276 -s 1256
Imagebase:	0x7ff7b6b30000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD34432718 Relevance: 4.4, Strings: 3, Instructions: 637
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFD34433EAF
HoL4, xrefs: 00007FFD3443416E
O_H, xrefs: 00007FFD34433F5F

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID: HoL4$d$O_H
API String ID: 0-457694247
Opcode ID: 4d45c4b22d70ddaf66aa72fd1427ee54fb96dd32f205c727c02ecc3aeafdbdbb
Instruction ID: a6e18cc8ec545879922e7f3f0bf4d7a5173bd6b9ea2d9e7c43f22ba8000291ca
Opcode Fuzzy Hash: 4d45c4b22d70ddaf66aa72fd1427ee54fb96dd32f205c727c02ecc3aeafdbdbb
Instruction Fuzzy Hash: 13026431B1CA490FE758DB2894E25B177E0FF86310B1942B9D59EC719BEE28F8538781

Function 00007FFD3450026B Relevance: 3.3, Strings: 2, Instructions: 818
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!N4, xrefs: 00007FFD34500321
A, xrefs: 00007FFD34500786

Memory Dump Source

Source File: 00000000.00000002.2195132122.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34500000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID: A$!N4
API String ID: 0-1471879849
Opcode ID: e9cf010b4a1812088d9051a41aa1e0f5260b4e8857499cecd8d4de70166f34e2
Instruction ID: 953804b47847989b3831b05ccd0fda35645b859ae3143de959e26d73c3216d49
Opcode Fuzzy Hash: e9cf010b4a1812088d9051a41aa1e0f5260b4e8857499cecd8d4de70166f34e2
Instruction Fuzzy Hash: 08425B3AE0DA894FEB56DB18D8A55E87BE0FF57300F1401BED18DCB19ADA2C6846C741

Function 00007FFD34437EE8 Relevance: 3.1, Strings: 2, Instructions: 635
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

DN4, xrefs: 00007FFD34442E75
DN4, xrefs: 00007FFD34442E50

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID: DN4$DN4
API String ID: 0-231519583
Opcode ID: f440bbf7ad435a0fc97a8a1615c2fd5f82bc291177152e5018ca01443125e6be
Instruction ID: 630ffc40b94b2e4b872c8599773bb3542af4b6afc7ecb24015d1bd79d2a6d747
Opcode Fuzzy Hash: f440bbf7ad435a0fc97a8a1615c2fd5f82bc291177152e5018ca01443125e6be
Instruction Fuzzy Hash: BE124A71B0C9864FF3A8D71C88A65B577D1FF8A360B1502BAD18DC73EADE9C68065381

Function 00007FFD34430BE9 Relevance: 3.0, Strings: 2, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(E14, xrefs: 00007FFD34430D99
XF14, xrefs: 00007FFD34430F1C

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID: (E14$XF14
API String ID: 0-2258943805
Opcode ID: ba10e8d4617e9aee31329e377fceee52f6a99743c42b2c12437233a500949206
Instruction ID: 31c89d7983fd5078446a163aa750a01bad9623ee94e1ade669e5852926214971
Opcode Fuzzy Hash: ba10e8d4617e9aee31329e377fceee52f6a99743c42b2c12437233a500949206
Instruction Fuzzy Hash: FCE11661B0DA8D1FE795E77888757A97FE5EF5A210B0901FAD08DD72ABCD5CA842C300

Function 00007FFD34433740 Relevance: 2.8, Strings: 2, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hKL4, xrefs: 00007FFD34433874
fish, xrefs: 00007FFD344337B0

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID: fish$hKL4
API String ID: 0-4103589924
Opcode ID: bf11d4517adc1035f3bb99edf6c6a6d936d920cfd3b8f7951feeaac49fe18b15
Instruction ID: 3ce67a5b7382650a31fbe443d07ac1765653ccbc93c7b34489d1ee66ad501280
Opcode Fuzzy Hash: bf11d4517adc1035f3bb99edf6c6a6d936d920cfd3b8f7951feeaac49fe18b15
Instruction Fuzzy Hash: 1E915A31B1CA4E0FE75CEA2898B51BA73D0FF96710B05023EE58BC3596EE58FC525681

Function 00007FFD3443B011 Relevance: 2.6, Strings: 1, Instructions: 1389COMMON

Download Yara Rule

Strings

`}N4, xrefs: 00007FFD3443BADF

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID: `}N4
API String ID: 0-151340322
Opcode ID: 3efa527d9580b72ce248fc68115f451438b1d6bfbe167dc9b102ec1dc1237422
Instruction ID: 03032144d80fe83c68e09af09c0a5a564e79f2a43eaae5145e28cd73745d41a0
Opcode Fuzzy Hash: 3efa527d9580b72ce248fc68115f451438b1d6bfbe167dc9b102ec1dc1237422
Instruction Fuzzy Hash: 6BA2583060CB8A4FE759DB28C4A45B5B7E1FF96301B1545BED18AC72ABDE38E852C740

Function 00007FFD3443A858 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

PYN4, xrefs: 00007FFD3443AA7D

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID: PYN4
API String ID: 0-3328857023
Opcode ID: bbc48ce06d4709f8d9bff8790310395ad67c8c908a1c09026da67cb7f253845f
Instruction ID: 0820dbea76b893260da98cfe63bb82421a6254764c57eaf244a41c59128756f0
Opcode Fuzzy Hash: bbc48ce06d4709f8d9bff8790310395ad67c8c908a1c09026da67cb7f253845f
Instruction Fuzzy Hash: D1B1CB31B0CB8A0BE71CC62984F10B5B7D2EFC3701B06467EE5DAD3299DD6CA8529781

Function 00007FFD3443DB99 Relevance: 1.5, Instructions: 1528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783bcac1994381a9bd1c8578987a6171454d738527ffd50c57caa5a6da4c8741
Instruction ID: 760158a3c1bca82d7450a7b4d246be2a8b114dcb7b2ab7f91805b279a3fbcc15
Opcode Fuzzy Hash: 783bcac1994381a9bd1c8578987a6171454d738527ffd50c57caa5a6da4c8741
Instruction Fuzzy Hash: D8B2793060CB894FD359DB28C4A04B5B7E2FFD6301B1545BEE58AC729ADE38E856C781

Function 00007FFD344335F0 Relevance: 1.0, Instructions: 1009COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f89ce07c6ceb9bca66f25dff52f1e326dfd9d3b2222ee9db6d8f1b99a93052
Instruction ID: 337ef7da4031a830d15b3324c0305b10044b88a0060a28081981c080992b6432
Opcode Fuzzy Hash: 88f89ce07c6ceb9bca66f25dff52f1e326dfd9d3b2222ee9db6d8f1b99a93052
Instruction Fuzzy Hash: DF726431A0CB864FE7698B1484A12B477E1EF97310F1641BDD58ECB6DBDE6CA846C780

Function 00007FFD34437960 Relevance: .9, Instructions: 937COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52061df085e68bda36a46e4896b3703a686f58c7c6f97ffdc866983cc29a394
Instruction ID: 21f806d5c1259b4081d7ee85136f173507e491aeef65b6079d2f3a2771a79584
Opcode Fuzzy Hash: c52061df085e68bda36a46e4896b3703a686f58c7c6f97ffdc866983cc29a394
Instruction Fuzzy Hash: 86521631B0CA0D4FDB68EB2884B567977E1FF5A700B1541BEE08EC7296DE28AC52D741

Function 00007FFD34439A9C Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ef59f8d3f0dd8005a02c1076b90be66296b3e01dbdf77777a9eff187f276b8
Instruction ID: e81a5eda94f7d4e1c6f260144acd518748d355dea17d899189b776c68244a851
Opcode Fuzzy Hash: 96ef59f8d3f0dd8005a02c1076b90be66296b3e01dbdf77777a9eff187f276b8
Instruction Fuzzy Hash: 27D1BE5694E7CA4FE353577508B10A07FB0AE23A5075E01EBC5C4CF0E7DA4DA85AE722

Function 00007FFD345011DB Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195132122.00007FFD34500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34500000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1abcff434359d593b9eca38647f53ec6084110f85f353117c02e72eb4c0e6b33
Instruction ID: f38ecec0114434bdf2e6a3d26a4dd36f9796f3b6e61e9eed030b1aef4b0cd784
Opcode Fuzzy Hash: 1abcff434359d593b9eca38647f53ec6084110f85f353117c02e72eb4c0e6b33
Instruction Fuzzy Hash: E1D15776E0DBC64FE753CB285CA65A87FE0EF57310B0901FAC589CB0A7D91DA8069342

Function 00007FFD3443AC30 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0357e769a50ac48cf7e1a6c336757e4956a1124589fa0b9f1fd014ee0d530663
Instruction ID: 58cac6f075277d2440c3e7194c9d40c8310cb163538f524d50db9a99a950d43f
Opcode Fuzzy Hash: 0357e769a50ac48cf7e1a6c336757e4956a1124589fa0b9f1fd014ee0d530663
Instruction Fuzzy Hash: 71C19C3160CB890FE31DCB2884B51B1B7E2FFD6701B1646BEE4C6C72A5DA68A456C781

Function 00007FFD34443B5C Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f63450c78ec3a2e808db8b2bfceeb31fa068cc1a9c43fafa09b77c1cb421ba
Instruction ID: 3ed1cecb4c2a4fa112b13c05fcba3862a010722181ce7d1e2f96cedf555300b7
Opcode Fuzzy Hash: 03f63450c78ec3a2e808db8b2bfceeb31fa068cc1a9c43fafa09b77c1cb421ba
Instruction Fuzzy Hash: 63417B3270D3891FD71E9A788C661B57B95EB83220B1682BFD486CB1EBDC68580783D1

Function 00007FFD34443BA9 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e597f3f0f974e2722a56bafa015a1ecbb83190821dad604be1d807ad31148d99
Instruction ID: 508de75c8cc1b106a5fbf1f0b5924836aabf3e6af0bea2aaa34e82bfd96b5f83
Opcode Fuzzy Hash: e597f3f0f974e2722a56bafa015a1ecbb83190821dad604be1d807ad31148d99
Instruction Fuzzy Hash: B7418E3170D38A1FD72E9A748C651A57FA5EB83310B1682BFD486CB1EBDD6C98078391

Function 00007FFD344387FA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD34447511

Strings

O_^, xrefs: 00007FFD344387FA
O_^, xrefs: 00007FFD34438812

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID: ProtectVirtual
String ID: O_^$O_^
API String ID: 544645111-3149176749
Opcode ID: bcc8e4d7a1ccd799bf221e81a993f8533846a0ab31b93d68d63cb26166d8815c
Instruction ID: 7c9426cdaa7d232cf2b9070a5c08d06af4ff32fa72563af1bc00e8356c17ac83
Opcode Fuzzy Hash: bcc8e4d7a1ccd799bf221e81a993f8533846a0ab31b93d68d63cb26166d8815c
Instruction Fuzzy Hash: 4B315971A0CA4C8FDB18DF98D8466F9BBE1FB55311F04423FD049D3252DB6468468781

Function 00007FFD34431CA5 Relevance: 1.9, APIs: 1, Instructions: 430
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00007FFD34431F11

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f110b31a5c55ea6d9e2c80310c5b4289ffd1d78ca004e70607badfd40e09f56e
Instruction ID: 4d5ad961ad03e1b7025edbb9193dde0236392c0333860aafaccda2183bb7979e
Opcode Fuzzy Hash: f110b31a5c55ea6d9e2c80310c5b4289ffd1d78ca004e70607badfd40e09f56e
Instruction Fuzzy Hash: D2D16731A0C68D5FEB15EB6CE8667E93BE4EF46320F04017BE44DC7193CA68A845C791

Function 00007FFD344320AA Relevance: 1.9, APIs: 1, Instructions: 354
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abcf81e5a1d6a9b6bce191779dc2a48bc69ded7abfbea69de63189dd47307e5f
Instruction ID: ef036df8ec1a5f0c712effbaaec01a0891c8855ad3928f9f515840203320f920
Opcode Fuzzy Hash: abcf81e5a1d6a9b6bce191779dc2a48bc69ded7abfbea69de63189dd47307e5f
Instruction Fuzzy Hash: D5B1063090CB8D4FEB59DF68C8566E97BE1FF56311F04426BE449C3292DA78A845CB81

Function 00007FFD344467DA Relevance: 1.8, APIs: 1, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE ref: 00007FFD344487DC

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0f90cf13880bde67a2b99bba0e6439bc3c74961aa2d10170e6f5068a5035013e
Instruction ID: 4bbf0adba0bc477a9fa175c6aa4826e7b6dcd8c36d4f053561cb378fccc96594
Opcode Fuzzy Hash: 0f90cf13880bde67a2b99bba0e6439bc3c74961aa2d10170e6f5068a5035013e
Instruction Fuzzy Hash: C991C530A08A4C8FEB58DF68C8567E97BE1FF56310F04427ED84DC7296DA78A845CB91

Function 00007FFD344322CA Relevance: 1.6, APIs: 1, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFD344323A2

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d82380c34de2eb524a3537dccac9c1bc87c6d475dfeba551fc4f4fb523209548
Instruction ID: 85f5ff577287760292f0a7f6795965f0bdeb60816d10a6a152993c066b7620fa
Opcode Fuzzy Hash: d82380c34de2eb524a3537dccac9c1bc87c6d475dfeba551fc4f4fb523209548
Instruction Fuzzy Hash: 8041263090CB888FDB19DBA898566E97FE0EF56321F0402AFD089C3192CB646856C791

Non-executed Functions

Function 00007FFD34438260 Relevance: 6.6, Strings: 5, Instructions: 400COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFD344384C9
O_^, xrefs: 00007FFD34438562
O_^, xrefs: 00007FFD34438522
O_^, xrefs: 00007FFD344385C2
O_^, xrefs: 00007FFD34438502

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^$O_^
API String ID: 0-2660881393
Opcode ID: e48856246a3335fc6f0e9590ce023caa9ad46f3f846ec3b2c106e7587006169c
Instruction ID: ec2a00551fcd01e914686964935bf783db5695264b68b46568824df17a69695a
Opcode Fuzzy Hash: e48856246a3335fc6f0e9590ce023caa9ad46f3f846ec3b2c106e7587006169c
Instruction Fuzzy Hash: AFC1B55BF0D6962BEB1666BC68B62E67BD4EF5322870A01B3C2C8CD043ED1C68574245

Function 00007FFD344360C5 Relevance: 6.6, Strings: 5, Instructions: 366COMMON

Download Yara Rule

Strings

0L4, xrefs: 00007FFD34436289
L4, xrefs: 00007FFD34436299
L4, xrefs: 00007FFD34436279
L4, xrefs: 00007FFD344361D9
hL4, xrefs: 00007FFD344361E9

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID: L4$ L4$0L4$hL4$L4
API String ID: 0-2994237154
Opcode ID: dd2a484b6609965b3be6a00f15ba632fa6b34c884e0ef9165a2da756aa02cd6a
Instruction ID: 30fcc805e19e69d702d4aebb3117ba2cce26c251f605707468852c9ce7b1fd21
Opcode Fuzzy Hash: dd2a484b6609965b3be6a00f15ba632fa6b34c884e0ef9165a2da756aa02cd6a
Instruction Fuzzy Hash: 64A16D47B0D9872BEBB4A62C58F62F67BD4DF9372070941BBD288CB09BDC0C6C5A5241

Function 00007FFD34431CC0 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73d6c5e8fc7a500565a2485e02784a7d11d5dca048e5717cf2b149d387ed0c6
Instruction ID: 3260275ce6c56eb7554c8c1badbf1c9a70fd93033a4d847789bf5190134e88c6
Opcode Fuzzy Hash: f73d6c5e8fc7a500565a2485e02784a7d11d5dca048e5717cf2b149d387ed0c6
Instruction Fuzzy Hash: 1DF13461A4EBCA4FE313473448B51A07FF0AF2362071A05FBC5D5CB0A7DA5DA85AD722

Function 00007FFD344393DC Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4511ab8f5235ce853ac0b0c7a1119662c8a2c0ccc506ba51aa48a546b8444ccc
Instruction ID: ce007929eca5ad95fe42b16a23f3bef7042eba402d1adb6e8c7c77ea85a8c1dc
Opcode Fuzzy Hash: 4511ab8f5235ce853ac0b0c7a1119662c8a2c0ccc506ba51aa48a546b8444ccc
Instruction Fuzzy Hash: 0FD1785698E7CA4FE313167518B50A07FB0AE23A6071E01EBC5C4CF0E7DA4E585AE722

Function 00007FFD34438EA9 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d53b424b070bf97295e7077aa1b7db8f3218c8d4c1205ba98217e7a46abb31
Instruction ID: a5bdf2c7c0fa3cb919d53c7855cff542a91c721f5a06c44dac2e65e38da8b966
Opcode Fuzzy Hash: 30d53b424b070bf97295e7077aa1b7db8f3218c8d4c1205ba98217e7a46abb31
Instruction Fuzzy Hash: 65A1765698E7CA4FE31307750CB51A07FB0AE23A6031E11EBCAD4CF0A7D64D585AE722

Function 00007FFD3443169D Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446a3e4189e63f18aaa4daa439090a49fc0f97ab99241df94c673b320af97dcc
Instruction ID: e1806e7703491bba4cd3cf3af6d6c095f549566351e6f7bd9ddf5780d6c62bbd
Opcode Fuzzy Hash: 446a3e4189e63f18aaa4daa439090a49fc0f97ab99241df94c673b320af97dcc
Instruction Fuzzy Hash: 3851FF51B0DAC90FE782A7B848B92B56FD5DF5B125B1D01FBD0C8C71ABCA8C5856D302

Function 00007FFD34443439 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2194830524.00007FFD34430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34430000_Purchase Order For Linear Actuator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38866847a65edf961bf737de9c38d90182d08938408e9acd73744cff26f6efbf
Instruction ID: 14e133a0b20fe6919a87479fa51f900fd3fcd05edb494fe9dcc59625ede692d1
Opcode Fuzzy Hash: 38866847a65edf961bf737de9c38d90182d08938408e9acd73744cff26f6efbf
Instruction Fuzzy Hash: EE41F632A0D7D50FD31E9A795C560A17FB5DB8322071A82FBD4C6CB1A7E4596C0BC391

Analysis Process: InstallUtil.exePID: 1132, Parent PID: 2276COMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	4

Executed Functions

Function 02F6A968 Relevance: 2.8, Instructions: 2804COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076d91efd267b2098a408c121d2176d8a15894b2589022125845f79043082c7a
Instruction ID: 0451ddb402e186a5f49e599bd1a77f137ba2e1e598ee6f578f5911e9564e4735
Opcode Fuzzy Hash: 076d91efd267b2098a408c121d2176d8a15894b2589022125845f79043082c7a
Instruction Fuzzy Hash: 1E53F831D10B1A8ACB51EF68C8846A9F7B1FF99300F15D79AE45877121FB70AAD4CB81

Function 02F63E80 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VGm, xrefs: 02F640CB

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID: \VGm
API String ID: 0-1150679331
Opcode ID: 26e9d5232c835d43ceaa4d611769023695e704b2306b2d133617c6278bdc57f7
Instruction ID: 29ebb05061cf52ca7e0f047164a282b80604c6c83b1323339896f4b289501a83
Opcode Fuzzy Hash: 26e9d5232c835d43ceaa4d611769023695e704b2306b2d133617c6278bdc57f7
Instruction Fuzzy Hash: DE916C70E002199FEF24DFA8C9897EEBBF2EF88744F148129E515A7254EB749845CF81

Function 02F64A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5441ef4985d516406b355900768fed667540123e4f0503acb051b85015b8a1ef
Instruction ID: e743589b5fa17b205a74297bac262a156b4e9692ca99450b54bc1c65032693e5
Opcode Fuzzy Hash: 5441ef4985d516406b355900768fed667540123e4f0503acb051b85015b8a1ef
Instruction Fuzzy Hash: 47B15D70E002098FDB20DFA9C8997ADBBF2EF88394F148129D915E7394EB749845CF91

Function 02F64810 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VGm, xrefs: 02F6487F
\VGm, xrefs: 02F649D2

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID: \VGm$\VGm
API String ID: 0-2238751749
Opcode ID: cbd2114005d552cddd8ab006f8379ec318d16efab9216c4b8641e60ae4220cbf
Instruction ID: 1f02e4469f7ed1d669b52929b2700a6573536461e264fcd260a72ac0a27183d7
Opcode Fuzzy Hash: cbd2114005d552cddd8ab006f8379ec318d16efab9216c4b8641e60ae4220cbf
Instruction Fuzzy Hash: 38718D70E002499FDB20DFA9C888BAEBBF2FF88754F148129E515A7254EB749845CF91

Function 02F64807 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VGm, xrefs: 02F6487F
\VGm, xrefs: 02F649D2

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID: \VGm$\VGm
API String ID: 0-2238751749
Opcode ID: bbe1317b33484f9e0a66dd8b35d0c06a0864d75715209fad81a4402099ef2f1b
Instruction ID: ccd484e3a8a550986a4172882f34b38931d7ed8cd67429d1f675cca2f469ad18
Opcode Fuzzy Hash: bbe1317b33484f9e0a66dd8b35d0c06a0864d75715209fad81a4402099ef2f1b
Instruction Fuzzy Hash: CB718B70E002499FDB20EFA8C988BEEBBF2FF88754F148129E515A7254DB749845CF91

Function 05C4D1CC Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05C4E5B2), ref: 05C4EAA7

Memory Dump Source

Source File: 00000004.00000002.4596591941.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5c40000_InstallUtil.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 4bab20cd2c164eeca6483f3d2f3020584667917639d6fcca9d5aa122f0942fcb
Instruction ID: 1b6185d916e588c754c2552c8b27b31ea59156f0608b195cb1d3ee7f05a20107
Opcode Fuzzy Hash: 4bab20cd2c164eeca6483f3d2f3020584667917639d6fcca9d5aa122f0942fcb
Instruction Fuzzy Hash: 7D1136B1C0065A9BCB10CF9AC444B9EFBF4BF48224F11856AD918A7240D378A914CFA1

Function 05C4EA38 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05C4E5B2), ref: 05C4EAA7

Memory Dump Source

Source File: 00000004.00000002.4596591941.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5c40000_InstallUtil.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 109e378c3ec0b7fdfca94bceddf68184ef1899b929cdd19c33de80cb9527b677
Instruction ID: c37c4bc9f7dc67e54f30a10b7ef135b045223cdbd752d708431e0689ff4af386
Opcode Fuzzy Hash: 109e378c3ec0b7fdfca94bceddf68184ef1899b929cdd19c33de80cb9527b677
Instruction Fuzzy Hash: 171136B1C0066A9FCB10CF9AC444BDEFBB4BF48310F11826AE818A7240D378A954CFA1

Function 02F63E74 Relevance: 1.5, Strings: 1, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VGm, xrefs: 02F640CB

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID: \VGm
API String ID: 0-1150679331
Opcode ID: 6307243ae63f003c089eb7d8a823376ac079b21b7c319ed91b3d862f72877b16
Instruction ID: 24d7e0aa2febf4fd2b7a672ff8fe385f1ff14ebc8dcc850ba2504810014ac4ef
Opcode Fuzzy Hash: 6307243ae63f003c089eb7d8a823376ac079b21b7c319ed91b3d862f72877b16
Instruction Fuzzy Hash: 07A17B70E002199FEB24DFA8C9897EEBBF2FF88744F148129E515A7254EB749845CF81

Function 02F68720 Relevance: .6, Instructions: 554
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eadd560aef0dc16a47208bbb1326776b3b7f97fd85f29c26119857d810ca2b9
Instruction ID: 20a002b2fc841b76cae849581fe17ad923ce886658262f14e1de583d6b49d88f
Opcode Fuzzy Hash: 1eadd560aef0dc16a47208bbb1326776b3b7f97fd85f29c26119857d810ca2b9
Instruction Fuzzy Hash: 40126035B012079BDB19AB2CE49822837A3FBC5790F25896CD105DB354CF79DC8ADB91

Function 02F6A190 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcee65a8cc60584e29f38a88612d25e4521ac61b9f2367003b9137bc357d1e63
Instruction ID: 177105825dc6fe953811595d76aaa619d8320d93f54e764f5a930a91dd54d24a
Opcode Fuzzy Hash: dcee65a8cc60584e29f38a88612d25e4521ac61b9f2367003b9137bc357d1e63
Instruction Fuzzy Hash: 32A14F35B001098FDB14DBA4D998AADBBF2FF88354F248569EA06E7364DB35DC41CB50

Function 02F64A8F Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db67b5ad77e954de7e5fafe32b216a6b97b96efa77dfabd678a664d64651863
Instruction ID: 5c0f52a9770dda93c6265e7632223ec750ba98253739b2e3c02dc3285a72286c
Opcode Fuzzy Hash: 8db67b5ad77e954de7e5fafe32b216a6b97b96efa77dfabd678a664d64651863
Instruction Fuzzy Hash: D3B13970E0021A8FDB20DFA8C8997ADBBF2EF48794F148129D915A7394EB749845CF91

Function 02F6A18F Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136036ab394d5bde41a4fbe1e4da99db9cfa7da09fcc1fe23e507bc688912bb6
Instruction ID: 42072c6f0779d10e8aaeeb2864243bd118a344f70eea4188bb629934759041c9
Opcode Fuzzy Hash: 136036ab394d5bde41a4fbe1e4da99db9cfa7da09fcc1fe23e507bc688912bb6
Instruction Fuzzy Hash: 49912E35A001058FDB14DFA4D988AADBBB2EF88354F248569EA06E7364DB35EC41CB90

Function 02F6A183 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0514e80e5ef5a3c669b3f431bc3aba2543523913b11a43903f4c197865d0375
Instruction ID: fb727957801f69d33a2284c378cc988879d3d9743b5e2d3da62c4796304b30f3
Opcode Fuzzy Hash: f0514e80e5ef5a3c669b3f431bc3aba2543523913b11a43903f4c197865d0375
Instruction Fuzzy Hash: 73815F35A001058FDB14DFA4D988AADBBF2FF88350F248569EA05A7364DB35EC42CB90

Function 02F66ECF Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b7f24b5bcb591f81b296a26b15946454ebc2da2591574890b56e266a1d5719
Instruction ID: c959a8acfcef5e817a2b3f09ae50e20ef971777da0fc8d37338ae29eb926ae2d
Opcode Fuzzy Hash: 05b7f24b5bcb591f81b296a26b15946454ebc2da2591574890b56e266a1d5719
Instruction Fuzzy Hash: 0E618F30B00115CFDB14EF69C558AAEB7B6FF89744F2040A9E506EB3A1DB759C41CBA1

Function 02F6A58F Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7784e22cf3415b5b4558f13cfcaf72f834323af7c0fac0e88d170da6ecc3287
Instruction ID: 7870166487dfef0fde8d64005c58f2503174bed87f097d10a3bff0598533f5c5
Opcode Fuzzy Hash: d7784e22cf3415b5b4558f13cfcaf72f834323af7c0fac0e88d170da6ecc3287
Instruction Fuzzy Hash: DF41D270F012468FDF25CA68D59477E7772EB86354F20486AD206EB382D739DC868B92

Function 02F6A6C8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f856a69b64ed68a4e9c7dec104827d42b197a702e957306882e12c5f875287
Instruction ID: 327210285fe120530a64537dc65fe691d97a7de2518a3c3bdaa6977ea8bb31be
Opcode Fuzzy Hash: f6f856a69b64ed68a4e9c7dec104827d42b197a702e957306882e12c5f875287
Instruction Fuzzy Hash: 7D513D75A00209DFDB44DFA9E884799FBB1FF88310F14C1A9E9089B355EB70D845CB90

Function 02F66CD4 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1f709c97941096b52fa15d9b492e476d8f83d6bc204bd38f17a77909cc2ab1
Instruction ID: 84a24e5224d88c99bfcebf44107c89f183cf67f03d2884546fb143f47a7a9102
Opcode Fuzzy Hash: 6f1f709c97941096b52fa15d9b492e476d8f83d6bc204bd38f17a77909cc2ab1
Instruction Fuzzy Hash: AB510470E102188FDB14CFA9C888BADBBB5FF48354F14812AE916AB355D778A844CF94

Function 02F66CE0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61188b79a81ed529cdb1831bfa0bc71f89347fe04a30e6245bcb0414a046983
Instruction ID: ea2c0dd0a1f05eb9d81084e022eb352fa2adbe5830e84ad373eba6f09ec977f9
Opcode Fuzzy Hash: e61188b79a81ed529cdb1831bfa0bc71f89347fe04a30e6245bcb0414a046983
Instruction Fuzzy Hash: 00510370E002188FDB14CFA9C888BAEFBB5FF48314F14811AE916AB351D778A844CF95

Function 02F61128 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efc28c3a0cd8a6f0f5a75ac1617fd14ac5f173f23642f93c67a9491779c751d
Instruction ID: 25c73c65a7249125b9d814763778978f48f139cd39dbdb7bcdc9e4fd0248b079
Opcode Fuzzy Hash: 0efc28c3a0cd8a6f0f5a75ac1617fd14ac5f173f23642f93c67a9491779c751d
Instruction Fuzzy Hash: 3A514E38216246CFC709DF2AF9909543FB1FBDA345304A6ADE1149B362DA782DC6CF81

Function 02F61138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d71aeb29064878347f79659919c5cfc774907ee484fbd0fab7603c839587849
Instruction ID: c22320aa2a701dd85473e53aeda5d6b8f03c087e1d8e76eebea915784cc89f2f
Opcode Fuzzy Hash: 4d71aeb29064878347f79659919c5cfc774907ee484fbd0fab7603c839587849
Instruction Fuzzy Hash: 17511B38616246CFC709DF2AF9909583FB1FBDA345304A6ADE1149B362DA782DC5CF81

Function 02F6DE6A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3522a89daa37c012b61471cf52e88501d9e3c35f82211a4dcd0ee365d0228572
Instruction ID: fa5ca3243fb90cb10d061cd36a1f7ccdd2e7d4fdc08976eaebc3f20d5bce2637
Opcode Fuzzy Hash: 3522a89daa37c012b61471cf52e88501d9e3c35f82211a4dcd0ee365d0228572
Instruction Fuzzy Hash: 2D314D75B00616EFD705CB68C880E7AB7B6FBC8300F55C168E5019B299CB35EC92CBA0

Function 02F67D90 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a758a39a5f39ef37da76f3ced436778e0f30e985eaa27342131e50e20f230eb7
Instruction ID: b021b8d86438cb4d86a699cfd42b330f20dc6e68a4f1ae92c3896db81b02df71
Opcode Fuzzy Hash: a758a39a5f39ef37da76f3ced436778e0f30e985eaa27342131e50e20f230eb7
Instruction Fuzzy Hash: 4C314E31E0021A9FDB14EFA5D4487AEF7B6EF85354F608525E506EB280EB70AD85CB50

Function 02F626DC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35003103d717e2f4e3f3a393c9af96e430978575749943fa9e9c468215a79e9f
Instruction ID: 1eecc0447583100c6bdef255378498fcb49ac2d0f71c257e51efb01555fd5863
Opcode Fuzzy Hash: 35003103d717e2f4e3f3a393c9af96e430978575749943fa9e9c468215a79e9f
Instruction Fuzzy Hash: CB41D0B1D0034DDFDB10CFA9C984AEEBBB5EF48314F14802AE909AB254DB759945CF90

Function 02F67D80 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dacc9c045b9159a3305b11b4549e0f1d0ee9637d00d19a5287a3b0889b26e6
Instruction ID: e085733712706fd7ccffd03a1c992e4bcd92ff435bafaf945cf138382823e3e4
Opcode Fuzzy Hash: 05dacc9c045b9159a3305b11b4549e0f1d0ee9637d00d19a5287a3b0889b26e6
Instruction Fuzzy Hash: 6F315E30E0120A9FDB24DFB5C4487AEF7B2EF85744F208529E902EB284D7709845CB50

Function 02F626E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1addc23bdc3bcc99f5d3315c75ca6715454935e2c38bae542f2a418f9549fb2
Instruction ID: b3db6d58d523d057745cdb9026e05bd2e4ca165cfc9184d1943eb85ff8142bed
Opcode Fuzzy Hash: e1addc23bdc3bcc99f5d3315c75ca6715454935e2c38bae542f2a418f9549fb2
Instruction Fuzzy Hash: F541EFB0D0034DDFEB10CFA9C984A9EBBF5FF48314F10802AE909AB254DB75A945CB90

Function 02F6A078 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ebf26c8e0344bfb75650c71fadaa4ad4e8ee9c93059e8eaa04a6d28d5b3aaf2
Instruction ID: cd1099ad21a4f6911e76c4ff3487186ff54ec4f2db1dbc100e7b84fd93d7f111
Opcode Fuzzy Hash: 8ebf26c8e0344bfb75650c71fadaa4ad4e8ee9c93059e8eaa04a6d28d5b3aaf2
Instruction Fuzzy Hash: 35216075E0424A9BDB19CF68D8946AEF7B2FF89340F50C619E905BB341DB719C81CB90

Function 02F6A077 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aaaba8c18b2b677cf01cd4e0e397d018723c38a61322905e4517758e1174261
Instruction ID: 6750e593f6db42c1dce14b10ac8ab40706cff9bb8fd105063275ef58c44f387b
Opcode Fuzzy Hash: 6aaaba8c18b2b677cf01cd4e0e397d018723c38a61322905e4517758e1174261
Instruction Fuzzy Hash: A4215175E0024A9BDB15CF68D5557AEF7B2FF89340F10C619E905BB241DB719C81CB90

Function 02F6169F Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb178bbc31bc01911591113db2497bdd029081d1253e04b9ec7dacd1c904cdb3
Instruction ID: d5357b76b53ac7fc6f703d74addccf7bd1ad975d70332999482cf34b6f555654
Opcode Fuzzy Hash: fb178bbc31bc01911591113db2497bdd029081d1253e04b9ec7dacd1c904cdb3
Instruction Fuzzy Hash: 3B21A138B011098FEB24DB69E88876A3B66EBC5344F148A69D51ACB355DB7C9C81CB81

Function 02F69F68 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f9f6f5774c64449961493b06f4a99dfb9afa38dbafeaa4eac93c02d7f54854
Instruction ID: 000a1fbc13f415f3e81772149c6ca8354818ad109fdc2d41f3ff1de9168a0f53
Opcode Fuzzy Hash: 17f9f6f5774c64449961493b06f4a99dfb9afa38dbafeaa4eac93c02d7f54854
Instruction Fuzzy Hash: 5021A131E002099FCB18CF64C5946EEF7B2EF89340F20861AE912FB350DBB0A845CB40

Function 02F66B98 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6693bf5485a7f3d16ffde139045af7c7f5cbf77bac50f28b7aa64438e5e046e
Instruction ID: 988214ed4bf277d7cc83d8aa4b5f194c37cec7655514d7829ea3ffa0fc92cb01
Opcode Fuzzy Hash: c6693bf5485a7f3d16ffde139045af7c7f5cbf77bac50f28b7aa64438e5e046e
Instruction Fuzzy Hash: 9D2100317092808FC711EB78D8506AA7BB2EFCA340B1585AEC105CB395DB789C84CB91

Function 02F61878 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9ad77acb7f06c6e727a047cb379258b170a91d0bc74c567cfb45e670d7fbe5
Instruction ID: 225ddd08de710519806b5921afd8fbf2d3bb371990249be4bdd0618bcf116049
Opcode Fuzzy Hash: 3e9ad77acb7f06c6e727a047cb379258b170a91d0bc74c567cfb45e670d7fbe5
Instruction Fuzzy Hash: C3212D30A00245CFDB14EB78C5687AE77F2EF89385F200568D20AEB354DB358D40CB51

Function 02F6A860 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84eeb5eb2b953885d1125b45b416d607987303df7ff9e15d33d26c0299036d9
Instruction ID: 52e54fa1beeb6d7b6aa3d7c9429c2d066653a9fdbe9aa21c68dffd66bcaa554a
Opcode Fuzzy Hash: f84eeb5eb2b953885d1125b45b416d607987303df7ff9e15d33d26c0299036d9
Instruction Fuzzy Hash: F0217F31B101048FEB14DB79C968BAD77F6EF88714F218169E605FB3A4DA718D41CB90

Function 02DDD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593600059.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ddd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b7c96147310eb145bae83ace9b13451a9eab492f444c7e1d50608cebfbf865
Instruction ID: a45c0fb90b4d58a1686999822398179b569d09151d8cc49668f02ce07599bf6f
Opcode Fuzzy Hash: f9b7c96147310eb145bae83ace9b13451a9eab492f444c7e1d50608cebfbf865
Instruction Fuzzy Hash: 32210072504604EFDF14DF14D980B26BBA6EBC4314F70C56DE94A0A352C37AD846CA62

Function 02F64F8B Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66194e2389e6864b43e33c668f54ef1a898f73638ffc1c63849d36aa65100fed
Instruction ID: 52a795492b55a9aef46bbf2a5b0df1d9251188ad80e5efd2e107abbebb3a52a8
Opcode Fuzzy Hash: 66194e2389e6864b43e33c668f54ef1a898f73638ffc1c63849d36aa65100fed
Instruction Fuzzy Hash: 3C210234B00105DFDB14EB78C958AAE77F2EB89745B2004A8E506EB3A4DB769D41CBA1

Function 02DDD005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593600059.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ddd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73cc1749d2a69e6ed7760e567ba9dbbacb9a445707005da1006d433af3f5be8
Instruction ID: 48ce8073fbdeb0f9298202a11b4cd67a07ca280fe21d6575ece5c8af189f6d4f
Opcode Fuzzy Hash: f73cc1749d2a69e6ed7760e567ba9dbbacb9a445707005da1006d433af3f5be8
Instruction Fuzzy Hash: 54214B711097C09FCB03CB64D990711BF71AB46214F2985EBD8898F2A7C33A980ACB62

Function 02F61383 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62882d5f85e586d81d029b3c3b4d8bf693f80290906a908e477b8fa7842a6fb
Instruction ID: 14d11b61e281897f1b99f0f82820ac7af6fd84630cd6ce81bc2724581df2ad59
Opcode Fuzzy Hash: a62882d5f85e586d81d029b3c3b4d8bf693f80290906a908e477b8fa7842a6fb
Instruction Fuzzy Hash: A721AE30F012058BDF35A769E48C33A3B61EB42795F144869E60BCB780DB298C958792

Function 02F6A85B Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c803588fa90d97a03ba28ba49387949a0fb29b61182e792eb45eb57cd82364
Instruction ID: a958659760a462699457e44a06b57a0092a5a3ad240e822cce57342c55d27b0f
Opcode Fuzzy Hash: 57c803588fa90d97a03ba28ba49387949a0fb29b61182e792eb45eb57cd82364
Instruction Fuzzy Hash: D9215E71B101058FEB14DB68C958BBD7BF6EF88714F258169E605FB3A4DA718D01CB90

Function 02F61888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b489fce038efcf45ca430c2b6590643a5551562c54bd646e1c9ff9196894d67a
Instruction ID: c9d5f87d6d157e69104b3dfeba7cbb5f0d32f4e4ae69335c8cf941b8ee9e9f34
Opcode Fuzzy Hash: b489fce038efcf45ca430c2b6590643a5551562c54bd646e1c9ff9196894d67a
Instruction Fuzzy Hash: 8221EA30B00255CBDB14EB78C5687AE77F2EB89785F200468D60AEB354DB769D41CB91

Function 02F69F78 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281d046ce54ac79225abbfa0488ca9b909ebfdbad4070ac50ea8bed79dd8a983
Instruction ID: 0a584f126a47cc16d931b19c3a5f23b5be525758720622ed79c739270641b9eb
Opcode Fuzzy Hash: 281d046ce54ac79225abbfa0488ca9b909ebfdbad4070ac50ea8bed79dd8a983
Instruction Fuzzy Hash: 47216231E002199BDB18CF64C4946AEF7B6EF89350F60861AE916FB340DBB0A845CB50

Function 02F616B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9ea3a82c369e683a107e6688deac8804f8f3277c253531bab3e37dd46ddf85
Instruction ID: 0a5a4baac21042a0f12b0b27489a563559f421208f95937cb97b67b4ae66e182
Opcode Fuzzy Hash: bd9ea3a82c369e683a107e6688deac8804f8f3277c253531bab3e37dd46ddf85
Instruction Fuzzy Hash: D221A538B011098BEF24E729E88872A3766EBC5744F105A29D61ACF355DF7DDC80CB91

Function 02F64F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a228b5c946e792b7de868f8bd0a54a90c78b326c1a068a3634245e78e4b6ec0
Instruction ID: d92c00866c516e1bb8a5ff4d0e8f8976c2b355b0e371276b184acb87aa3e129b
Opcode Fuzzy Hash: 6a228b5c946e792b7de868f8bd0a54a90c78b326c1a068a3634245e78e4b6ec0
Instruction Fuzzy Hash: 3221F434B00205DFDB54EB78C958AAE77F2EB89745B2004A8E506EB3A0DB76DD41CB91

Function 02F60848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45977de7377a554cc94798abca6dd2d986d8a2f37faeea25aa328edceb0c639
Instruction ID: 0a167ecd55bcc646f2ee64905b6887009c42feb7c4d54ded3fe03fa8274f3b0f
Opcode Fuzzy Hash: d45977de7377a554cc94798abca6dd2d986d8a2f37faeea25aa328edceb0c639
Instruction Fuzzy Hash: 47116A31F002098BEF649A79D408B3A3661FB866A4F30486DD216CF385DF65CC858BD1

Function 02F60838 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479600ebae8df0ad46db2a4594b7de3094fc54d42e43eeb45e2676de0ed2211c
Instruction ID: 909fc018dfb8e34b9b265046b6dd43b8be525d56643ec59d6333933687c0e987
Opcode Fuzzy Hash: 479600ebae8df0ad46db2a4594b7de3094fc54d42e43eeb45e2676de0ed2211c
Instruction Fuzzy Hash: 5F119E31F012098BEF259A759418B7A3661FB862A4F34486ED652CF281EF65CC858BD2

Function 02F617C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5813fc485812257358274127381925b72ab258a53ae8ffd0826f0b11c800129f
Instruction ID: f8dfb7cff9f5b28a1eede465c020d99f2b286460365941d831ee68dee74a198f
Opcode Fuzzy Hash: 5813fc485812257358274127381925b72ab258a53ae8ffd0826f0b11c800129f
Instruction Fuzzy Hash: 1E112335F012658FCB10EBB5980866F7BF5FB89B90F104528E90AD7344EB388982CB91

Function 02F61488 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568ff85d82a107f3d702a546822c03aad78d4bd1cdb7e3febb03739f0b1e8518
Instruction ID: 2a0347297b5955a2043897e6b8c4cbb2a48dffa34eac923a21f1c01a2c821b91
Opcode Fuzzy Hash: 568ff85d82a107f3d702a546822c03aad78d4bd1cdb7e3febb03739f0b1e8518
Instruction Fuzzy Hash: FB115131E012158FCB21EFB889982BEB7B1EB49390B240479D909EB301EB35C941CBD1

Function 02F61498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad75289ffc94667af40a96c19764564bcb2ba2669fa8c741fecd78d2ecaa430b
Instruction ID: abd36a4d14bd33f54562d24606ec82fb30cd3addc70ba56d49ac2acdeedea1d5
Opcode Fuzzy Hash: ad75289ffc94667af40a96c19764564bcb2ba2669fa8c741fecd78d2ecaa430b
Instruction Fuzzy Hash: D4012131E002159FCB25EFB889582BEB7F5EB49290B240479D509EB301EB35D941CBD5

Function 02F6A6C5 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e55ad39f5779e4350094c1f6edd9ac88d78a5e0cb8fb8cc9eb374d79829ef0
Instruction ID: 056fc6912160b9a60a36dd4d03d7203594762b850f5675433c996c82d086c9f4
Opcode Fuzzy Hash: 32e55ad39f5779e4350094c1f6edd9ac88d78a5e0cb8fb8cc9eb374d79829ef0
Instruction Fuzzy Hash: CF017131E001058BDB44DF94D9847AABB66FF84311F64C668C90C6B39AEBB4AD05CBA0

Function 02F640FF Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818c5d58677686367bedfd2c312a2673a964e80513317ce51c5df63b5ce52180
Instruction ID: c5f2067dd80674426326afe63bd3006e5e0235cfc51fc0249674899cc448a1ee
Opcode Fuzzy Hash: 818c5d58677686367bedfd2c312a2673a964e80513317ce51c5df63b5ce52180
Instruction Fuzzy Hash: D611F330D00248DEEF36EA94D99C7FCB772EF2139AF24242AD121B21A09B7048C5CF11

Function 02F68F08 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 177ae5ecf0aa3706f4bb0c6567a03749eea0065be795644f36c5056572c8d48d
Instruction ID: ca1dc67114beb7190c907de8da0230082a4fbfc2be53734af7b52d1665816070
Opcode Fuzzy Hash: 177ae5ecf0aa3706f4bb0c6567a03749eea0065be795644f36c5056572c8d48d
Instruction Fuzzy Hash: EE015A74A0114EDFDB45EFA8E891A8C7FB1EB85300F1486ACC504AF251EA342E45DB61

Function 02F67EA8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76847a4304e22b005346bce5f408afa449630543d1d0918d611c1998dc0832ff
Instruction ID: e7da02e8926540b9179b50bcbaa4aea4ae823d967843026d3a02bceb43835ce4
Opcode Fuzzy Hash: 76847a4304e22b005346bce5f408afa449630543d1d0918d611c1998dc0832ff
Instruction Fuzzy Hash: 63F0C439B01104CFC714EB74E598A6C77B2EF89B55F5184A8E5069B3A4DB35AD42CF40

Function 02F68F18 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4593836596.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f60000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938017985ef0a22a2df1e2109557e68eed93fe56bffa78f30352bba64170767b
Instruction ID: bb7a4222682f43f379bf241e44f57ff69be0bc1b8e387ba6689d1c74dfd99707
Opcode Fuzzy Hash: 938017985ef0a22a2df1e2109557e68eed93fe56bffa78f30352bba64170767b
Instruction Fuzzy Hash: 57F04F34A0014EDFDF44EFA8F88169D7BB5EBC0300F6096ACC504AB250EE752E459B91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase Order For Linear Actuator.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_X00GI2RPISPKZHNF_fdea285d2efd4e31cd11be78abb91d9fb6fd2efe_b95f701e_8526e9a2-c9a0-4f6c-a7e7-ba3042745614\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86B7.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER889D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88CC.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ozq5p4p.g35.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccqeqfob.3ns.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hdqlvqun.rya.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnibpavs.41c.ps1

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
Purchase Order For Linear Actuator.exe

Function 00007FFD34432718 Relevance: 4.4, Strings: 3, Instructions: 637
COMMON

Function 00007FFD3450026B Relevance: 3.3, Strings: 2, Instructions: 818
COMMON

Function 00007FFD34437EE8 Relevance: 3.1, Strings: 2, Instructions: 635
COMMON

Function 00007FFD34430BE9 Relevance: 3.0, Strings: 2, Instructions: 483
COMMON

Function 00007FFD34433740 Relevance: 2.8, Strings: 2, Instructions: 336
COMMON

Function 00007FFD344387FA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128
memoryCOMMON

Function 00007FFD34431CA5 Relevance: 1.9, APIs: 1, Instructions: 430
libraryCOMMON

Function 00007FFD344320AA Relevance: 1.9, APIs: 1, Instructions: 354
COMMON

Function 00007FFD344467DA Relevance: 1.8, APIs: 1, Instructions: 309
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre