Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO ACTUATOR JC35FA2.exe

Overview

General Information

Sample name:PO ACTUATOR JC35FA2.exe
Analysis ID:1541817
MD5:3347ea2966db1b15601fd171d9d49513
SHA1:f746277e620b0f7e7f77f106a61c44a35a8fe468
SHA256:4d77def6a54990ec94ce80d0e2c5a0ee8ccb543e83f1ca7ed05987ce8454f132
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Disables UAC (registry)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO ACTUATOR JC35FA2.exe (PID: 6504 cmdline: "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" MD5: 3347EA2966DB1B15601FD171D9D49513)
    • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AddInProcess32.exe (PID: 1472 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • CasPol.exe (PID: 1816 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • CasPol.exe (PID: 2472 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • WerFault.exe (PID: 4476 cmdline: C:\Windows\system32\WerFault.exe -u -p 6504 -s 1432 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000006.00000002.3309071579.00000000036DE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.3307287120.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000006.00000002.3307287120.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2132021018.000002DD74D51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                6.2.CasPol.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  6.2.CasPol.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe", ParentImage: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe, ParentProcessId: 6504, ParentProcessName: PO ACTUATOR JC35FA2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -Force, ProcessId: 6352, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe", ParentImage: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe, ParentProcessId: 6504, ParentProcessName: PO ACTUATOR JC35FA2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -Force, ProcessId: 6352, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe", ParentImage: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe, ParentProcessId: 6504, ParentProcessName: PO ACTUATOR JC35FA2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -Force, ProcessId: 6352, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}
                    Multi AV Scanner detection for submitted file
                    Source: PO ACTUATOR JC35FA2.exeReversingLabs: Detection: 31%
                    Source: PO ACTUATOR JC35FA2.exeVirustotal: Detection: 34%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: PO ACTUATOR JC35FA2.exeJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO ACTUATOR JC35FA2.exe PID: 6504, type: MEMORYSTR
                    Source: PO ACTUATOR JC35FA2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdbh source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdbq1 source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb0 source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb& source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER8D6F.tmp.dmp.10.dr
                    Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2132021018.000002DD74D51000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.3307287120.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848E83ACC0_2_00007FF848E83ACC
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848E7AA290_2_00007FF848E7AA29
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848E77C380_2_00007FF848E77C38
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848E77C400_2_00007FF848E77C40
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848E735280_2_00007FF848E73528
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848E735200_2_00007FF848E73520
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848E77D000_2_00007FF848E77D00
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848E7AEB10_2_00007FF848E7AEB1
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848E7DE490_2_00007FF848E7DE49
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848F400600_2_00007FF848F40060
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_019F93786_2_019F9378
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_019F9B386_2_019F9B38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_019F4A986_2_019F4A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_019FCDB06_2_019FCDB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_019F3E806_2_019F3E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_019F41C86_2_019F41C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_068156E06_2_068156E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_06813F506_2_06813F50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0681BD086_2_0681BD08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_0681DD186_2_0681DD18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_06819AE86_2_06819AE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_06818BA06_2_06818BA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_06812B006_2_06812B00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_068100406_2_06810040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_068132506_2_06813250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_068150006_2_06815000
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1432
                    Source: PO ACTUATOR JC35FA2.exeStatic PE information: No import functions for PE file found
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2135064759.000002DD7D80C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs PO ACTUATOR JC35FA2.exe
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000000.2062623288.000002DD63166000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNewStb.exe4 vs PO ACTUATOR JC35FA2.exe
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2132021018.000002DD74D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO ACTUATOR JC35FA2.exe
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2132021018.000002DD74D51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAqofirivoqojal@ vs PO ACTUATOR JC35FA2.exe
                    Source: PO ACTUATOR JC35FA2.exeBinary or memory string: OriginalFilenameNewStb.exe4 vs PO ACTUATOR JC35FA2.exe
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@12/10@0/0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6504
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqxitdmq.3ym.ps1Jump to behavior
                    Source: PO ACTUATOR JC35FA2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: PO ACTUATOR JC35FA2.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: PO ACTUATOR JC35FA2.exeReversingLabs: Detection: 31%
                    Source: PO ACTUATOR JC35FA2.exeVirustotal: Detection: 34%
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeFile read: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe"
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1432
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: PO ACTUATOR JC35FA2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PO ACTUATOR JC35FA2.exeStatic file information: File size 2884127 > 1048576
                    Source: PO ACTUATOR JC35FA2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdbh source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdbq1 source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb0 source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb& source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdb source: WER8D6F.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER8D6F.tmp.dmp.10.dr
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848E76171 push ds; ret 0_2_00007FF848E7620F
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848E77961 push ebx; retf 0_2_00007FF848E7796A
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848E73390 push ds; ret 0_2_00007FF848E7620F
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848E700BD pushad ; iretd 0_2_00007FF848E700C1
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeCode function: 0_2_00007FF848F40060 push esp; retf 4810h0_2_00007FF848F40312

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Icon mismatch, binary includes an icon from a different legit application in order to fool users
                    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (31).png
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: PO ACTUATOR JC35FA2.exe PID: 6504, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD64D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLP
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD64D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeMemory allocated: 2DD634C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeMemory allocated: 2DD7CD40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 19A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 3690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 5690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sysJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sysJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeFile opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sysJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6705Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2850Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4760Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2020Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2020Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3340Thread sleep count: 94 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3340Thread sleep count: 98 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2020Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Amcache.hve.10.drBinary or memory string: VMware
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD64D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUP
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD64D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD64D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.10.drBinary or memory string: vmci.sys
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD64D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD64D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREP
                    Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD64D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareP
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD64D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
                    Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD64D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD64D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIP
                    Source: CasPol.exe, 00000006.00000002.3311836465.00000000065BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD64D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
                    Source: Amcache.hve.10.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: PO ACTUATOR JC35FA2.exe, 00000000.00000002.2130908767.000002DD64D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: PO ACTUATOR JC35FA2.exe, .csReference to suspicious API methods: GetProcAddress(, )
                    Source: PO ACTUATOR JC35FA2.exe, .csReference to suspicious API methods: LoadLibrary("kernel32.dll")
                    Source: PO ACTUATOR JC35FA2.exe, .csReference to suspicious API methods: GetProcAddress(, "VirtualProtect")
                    Source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, zOS.csReference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -Force
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -ForceJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 123C008Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeQueries volume information: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Disables UAC (registry)
                    Source: C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                    Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3309071579.00000000036DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3307287120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2132021018.000002DD74D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3309071579.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO ACTUATOR JC35FA2.exe PID: 6504, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1816, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3307287120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2132021018.000002DD74D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3309071579.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO ACTUATOR JC35FA2.exe PID: 6504, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1816, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74dc6f08.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO ACTUATOR JC35FA2.exe.2dd74d8c4c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3309071579.00000000036DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3307287120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2132021018.000002DD74D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3309071579.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO ACTUATOR JC35FA2.exe PID: 6504, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 1816, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		341
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		21
                    Disable or Modify Tools                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)261
                    Virtualization/Sandbox Evasion                    		1
                    Credentials in Registry                    		261
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		SteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook211
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		Protocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain Credentials24
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PO ACTUATOR JC35FA2.exe32%ReversingLabsWin64.Trojan.GenSteal
                    PO ACTUATOR JC35FA2.exe34%VirustotalBrowse
                    PO ACTUATOR JC35FA2.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe
                    http://upx.sf.net0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://upx.sf.netAmcache.hve.10.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://account.dyn.com/PO ACTUATOR JC35FA2.exe, 00000000.00000002.2132021018.000002DD74D51000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.3307287120.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1541817
                    Start date and time:2024-10-25 07:34:51 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 5m 24s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:13
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:PO ACTUATOR JC35FA2.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.expl.evad.winEXE@12/10@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 86%
                    • Number of executed functions: 65
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Internet access has been disabled

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    01:35:48API Interceptor25x Sleep call for process: powershell.exe modified
                    01:35:49API Interceptor1x Sleep call for process: CasPol.exe modified
                    01:35:50API Interceptor1x Sleep call for process: WerFault.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PO ACTUATOR JC35_9dea9cbe367daabf8a1de1fa599ddbad7f1b116a_16a8a9ff_2c87c150-5266-48a6-9715-9b75bd0be811\Report.wer

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):1.2354224982066921
                    Encrypted:false
                    SSDEEP:384:ccCf4BgaUnUlm8amHhECzuiFgY4lO80xm:ccCfZaUnUlm8aQzuiFgY4lO80x
                    MD5:B73B185A5081665CEA7903E4488CB8E5
                    SHA1:424318BD3E9F2B39D5F8479F156C4B431A0C8FB0
                    SHA-256:C4AB12182FAAED004B3A8001199D4EC4632FA32DCAF70033312C8D4CBC38EEE6
                    SHA-512:17BF8E7A55D4F0018BDF8D0402E07BC18109B8CF96BC69C2D0F3F7B7E39F39EB31EF99071DF4FAD52803558CBF35CA3AEA10A26213DAF0C985F254D3F10EC2F8
                    Malicious:false
                    Reputation:low
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.0.8.1.4.8.5.5.5.5.5.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.0.8.1.4.9.6.0.2.4.6.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.8.7.c.1.5.0.-.5.2.6.6.-.4.8.a.6.-.9.7.1.5.-.9.b.7.5.b.d.0.b.e.8.1.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.f.4.b.9.b.6.-.5.d.5.c.-.4.0.7.5.-.b.1.8.d.-.1.e.d.f.5.d.c.2.8.7.b.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.P.O. .A.C.T.U.A.T.O.R. .J.C.3.5.F.A.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.N.e.w.S.t.b...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.6.8.-.0.0.0.1.-.0.0.1.4.-.e.e.a.b.-.8.1.b.c.9.f.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.e.4.5.6.8.e.4.4.4.6.c.b.e.2.1.d.2.8.a.7.6.9.1.c.7.a.7.3.7.a.0.0.0.0.0.0.0.0.!.0.0.0.0.f.7.4.6.2.7.7.e.6.2.0.b.0.f.7.e.7.f.7.7.f.1.0.6.a.6.1.c.4.4.a.3.5.a.8.f.e.4.6.8.!.P.O. .A.C.T.U.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D6F.tmp.dmp

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:Mini DuMP crash report, 16 streams, Fri Oct 25 05:35:49 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):481634
                    Entropy (8bit):3.27987788804207
                    Encrypted:false
                    SSDEEP:3072:tdTuc3vnBu/EzcSFkbA4IYxbBpg1CCq1AkdXMbjIGTF//R3+v6Q3Xp2yg4UpjI:bqAFkNIYxGq1AkdXMbjI63Q6Q3XUhj
                    MD5:7BFD57AE9496B3EA84DB98E7512EF287
                    SHA1:1E0B95EC172EA55A931908AE7617BF2EEC34B43D
                    SHA-256:A48B9BE4D4B98A4AEBA6A0F0BDEE6EE2B2ECAF7B2F189A0B32DB98F0C1D253E4
                    SHA-512:E6E2463FD0053874BFC284388CE7E8121CF2227D810E1DA4880BE6725C1580A1E785B443F8BE9C0B681189F4B2F773CD97017090A2F7B5E000266FBB5B0B55FF
                    Malicious:false
                    Preview:MDMP..a..... .......5..g............t...........<...........$....(......T ...(.......P.............l.......8...........T...........`<..............HI..........4K..............................................................................eJ.......K......Lw......................T.......h...0..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER9000.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8640
                    Entropy (8bit):3.715973873292479
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJJUFLey16YEIhxyLdIgmfu+4Uprd89bWMrwfaym:R6lXJKZey16YEOxyLigmfu+4rWAwfm
                    MD5:EE4AE25D62CAD9526AFCDEF87A24FE76
                    SHA1:8E98BB84EEE62B004C036B1A1FBEB249A0CE949D
                    SHA-256:5FA41559DE94840DD2EEC46662C48E73328FBE2F3BA2B96F2887C10C5141FECC
                    SHA-512:B9A76C27CE8A67178D6C9D2434BBAAE71B98C870C3BFEEF24A13C39CF440F25FEFF6FFE94A028BDEE09DB2913205D83938D300F82E6652E779D43AF4045F2555
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.0.4.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER906F.tmp.xml

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4804
                    Entropy (8bit):4.556375451911024
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zsWJg771I9UnWpW8VY/Ym8M4JwXtEt+FdQyq85oi+SHxchfRSvDESpd:uIjfsI7bW7VbJwXtET5iHRISvDESpd
                    MD5:868F5A28A1BF805A8533148ED08AFDAE
                    SHA1:D746C7290DCAF4FAA04660EA7EFD98A955E0A41E
                    SHA-256:4ECC2EF5DD979750DB6414FF6CBF6AE234A089F67214156CFBA036C9C077A37D
                    SHA-512:9279EC2E44439D16092820F6F3B02EEA19545051EEC92BF1DEDF18D91F09B158D2FD542FB9A55853FEB0511B004FB3A8F7FB050CD460676AF83D63E00CC142CB
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="558518" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):64
                    Entropy (8bit):1.1940658735648508
                    Encrypted:false
                    SSDEEP:3:Nlllul/nq/llh:NllUyt
                    MD5:AB80AD9A08E5B16132325DF5584B2CBE
                    SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                    SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                    SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                    Malicious:false
                    Preview:@...e................................................@..........

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0fvvqjr4.wsw.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqxitdmq.3ym.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zike3wmt.pcv.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ziw33o3a.aph.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Windows\appcompat\Programs\Amcache.hve

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:MS Windows registry file, NT/2000 or above
                    Category:dropped
                    Size (bytes):1835008
                    Entropy (8bit):4.421738319216578
                    Encrypted:false
                    SSDEEP:6144:BSvfpi6ceLP/9skLmb0OTnWSPHaJG8nAgeMZMMhA2fX4WABlEnNu0uhiTw:YvloTnW+EZMM6DFyY03w
                    MD5:854327E18DE99C2E12FE0A263DA41784
                    SHA1:EDE0AF52C73B52E8C4EED0D3795092B92F972C3A
                    SHA-256:1427FD905FC246ABE93394E9E62144A421A8E9F3F477311EF27D3DE48593489D
                    SHA-512:2BA5A72FFC4B2D562B9296FB7A929A4231B8A9DB85B898E8034893FDAE3385DB2DF9A4E171C9BF8913FC06C3E8CA5CEA8CA77943427EBCA21548EC8B507D1A95
                    Malicious:false
                    Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm."...&..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    Static File Info

                    General

                    File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):4.881096315042891
                    TrID:
                    • Win64 Executable Console Net Framework (206006/5) 48.58%
                    • Win64 Executable Console (202006/5) 47.64%
                    • Win64 Executable (generic) (12005/4) 2.83%
                    • Generic Win/DOS Executable (2004/3) 0.47%
                    • DOS Executable Generic (2002/1) 0.47%
                    File name:PO ACTUATOR JC35FA2.exe
                    File size:2'884'127 bytes
                    MD5:3347ea2966db1b15601fd171d9d49513
                    SHA1:f746277e620b0f7e7f77f106a61c44a35a8fe468
                    SHA256:4d77def6a54990ec94ce80d0e2c5a0ee8ccb543e83f1ca7ed05987ce8454f132
                    SHA512:f215d758bcc125da90eb91984e6a167eac347aac4b1a5ddbe39144777f449d4f0e526d46234f40c366bc9fcba381840065f12b0f2f16314d167f80edcf225ec7
                    SSDEEP:12288:I1P7r9r/+ppppppppppppppppppppppppppppp0GhkO8M5n6PgxCzjPvdaSKD7yN:e1qhL8E6PQgPvdRvOKUxK/IqnY8
                    TLSH:DDD5CE80B5475D93FC185630E5E6B8F442FE6DAB78F4901FDF993D262ABA2BE0011076
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....u.g.........."...0.B%...N........... ....@...... ..............................JG,...`................................

                    File Icon

                    Icon Hash:c5a684988c94a0c5

                    Static PE Info

                    General

                    Entrypoint:0x400000
                    Entrypoint Section:
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows cui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x671A75BC [Thu Oct 24 16:28:44 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:

                    Entrypoint Preview

                    Instruction
                    dec ebp
                    pop edx
                    nop
                    add byte ptr [ebx], al
                    add byte ptr [eax], al
                    add byte ptr [eax+eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x34f0e.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x25420x2600924a65bc7072deba44f9f53764ed7e35False0.5804893092105263data5.723115991470882IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0x60000x34f0e0x35000e5570df57bd337d747d19d636137004cFalse0.20985959610849056data4.437155550708701IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0x64740x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.3225609756097561
                    RT_ICON0x6adc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.43951612903225806
                    RT_ICON0x6dc40x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.4016393442622951
                    RT_ICON0x6fac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.4831081081081081
                    RT_ICON0x70d40x35e0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9907192575406032
                    RT_ICON0xa6b40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.4584221748400853
                    RT_ICON0xb55c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.47382671480144406
                    RT_ICON0xbe040x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.45564516129032256
                    RT_ICON0xc4cc0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.3504335260115607
                    RT_ICON0xca340x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.07868508221933042
                    RT_ICON0x1d25c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.15114568005045195
                    RT_ICON0x267040x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.1543233082706767
                    RT_ICON0x2ceec0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.175184842883549
                    RT_ICON0x323740x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15948275862068967
                    RT_ICON0x3659c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.24107883817427386
                    RT_ICON0x38b440x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.2678236397748593
                    RT_ICON0x39bec0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.37459016393442623
                    RT_ICON0x3a5740x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.42819148936170215
                    RT_GROUP_ICON0x3a9dc0x102data0.6046511627906976
                    RT_VERSION0x3aae00x244data0.46379310344827585
                    RT_MANIFEST0x3ad240x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                    Network Behavior

                    No network behavior found

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:01:35:44
                    Start date:25/10/2024
                    Path:C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe"
                    Imagebase:0x2dd63160000
                    File size:2'884'127 bytes
                    MD5 hash:3347EA2966DB1B15601FD171D9D49513
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2130908767.000002DD65058000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2132021018.000002DD74D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2132021018.000002DD74D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:1
                    Start time:01:35:44
                    Start date:25/10/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:01:35:47
                    Start date:25/10/2024
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO ACTUATOR JC35FA2.exe" -Force
                    Imagebase:0x7ff7be880000
                    File size:452'608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:01:35:47
                    Start date:25/10/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:01:35:47
                    Start date:25/10/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    Wow64 process (32bit):
                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Imagebase:
                    File size:43'008 bytes
                    MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:6
                    Start time:01:35:47
                    Start date:25/10/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Imagebase:0xff0000
                    File size:108'664 bytes
                    MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3309071579.00000000036DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3307287120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3307287120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3309071579.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3309071579.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:7
                    Start time:01:35:47
                    Start date:25/10/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Imagebase:0xcf0000
                    File size:108'664 bytes
                    MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:10
                    Start time:01:35:48
                    Start date:25/10/2024
                    Path:C:\Windows\System32\WerFault.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\WerFault.exe -u -p 6504 -s 1432
                    Imagebase:0x7ff71e9f0000
                    File size:570'736 bytes
                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:9.9%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:6
                      Total number of Limit Nodes:0
                      execution_graph 15955 7ff848e71fea 15956 7ff848e71ff9 VirtualProtect 15955->15956 15958 7ff848e720db 15956->15958 15959 7ff848e708b9 15960 7ff848e708cf FreeConsole 15959->15960 15962 7ff848e7094e 15960->15962

                      Executed Functions

                      Function 00007FF848F40060 Relevance: 3.5, Strings: 1, Instructions: 2267COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2137593799.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f40000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID:
                      • String ID: *Z{}
                      • API String ID: 0-1839175324
                      • Opcode ID: 31480a8f15f2cd16acc53618b8244a49e82b5aa9a9056a8862f2c34f86021282
                      • Instruction ID: cf29dcca2c3cc18f8057d081bfe534a0ce8803cb431d27646e2f706557568412
                      • Opcode Fuzzy Hash: 31480a8f15f2cd16acc53618b8244a49e82b5aa9a9056a8862f2c34f86021282
                      • Instruction Fuzzy Hash: 2BE2477180DAC98FE796FB2888555A4BFE0FFA6740F0805FBC489DB1D3DA286846C745
                      Function 00007FF848E77C40 Relevance: 2.8, Strings: 1, Instructions: 1536COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136890760.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848e70000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID:
                      • String ID: :M_
                      • API String ID: 0-1394470079
                      • Opcode ID: ffd394429f49961f5575580f02c472e15fddc8326f6327d508749dcc8a2b922d
                      • Instruction ID: 69466b803dd25b6565313ce52b41031b520136f092bedfd23e78f537a96d53f5
                      • Opcode Fuzzy Hash: ffd394429f49961f5575580f02c472e15fddc8326f6327d508749dcc8a2b922d
                      • Instruction Fuzzy Hash: 0AB2D131A0CA4A8FEBA8FB28C455AB877E1FF55340F5401BAD44EC7292DF38AC458B55
                      Function 00007FF848E73528 Relevance: 1.8, Strings: 1, Instructions: 564COMMON
                      Download Yara Rule

                      Control-flow Graph

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136890760.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848e70000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID:
                      • String ID: fish
                      • API String ID: 0-1064584243
                      • Opcode ID: ddbb2a6a5fc4eb0b189add4e177fec5486291495a2907dc27eda44537b40d8f7
                      • Instruction ID: fe68369b507494511951dab3c424bcb1ce49a421c53e9b4f9104cd8a444a0e55
                      • Opcode Fuzzy Hash: ddbb2a6a5fc4eb0b189add4e177fec5486291495a2907dc27eda44537b40d8f7
                      • Instruction Fuzzy Hash: 5FF14831A1DA8A4FE75CBA3CD8551B577E1FF96350F4442BED08AC31D7DE28A8068385
                      Function 00007FF848E7DE49 Relevance: 1.7, Instructions: 1723COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136890760.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848e70000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 395a53889bd9c605865df3e12d02cc140a5bdb03f24a86378637bd925492d576
                      • Instruction ID: 1ae9a5cff24313471c6f553aca2b9b9d320c576ec790d3a6fb6030041fb66cea
                      • Opcode Fuzzy Hash: 395a53889bd9c605865df3e12d02cc140a5bdb03f24a86378637bd925492d576
                      • Instruction Fuzzy Hash: 6BC24730A0CB4A4FE759EB2884854B5B7E2FF95341F1446BEE48AC7296DF34E846C781
                      Function 00007FF848E7AEB1 Relevance: 1.7, Instructions: 1679COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136890760.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848e70000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 903cc0e8ec4ba32178d020cffa29fae755d9a8ae45df5334f891a17d7781ff50
                      • Instruction ID: f1ab661e8c431793e7b2122cbc9652624ec1c2d5ffb3f8e02aca697e52078114
                      • Opcode Fuzzy Hash: 903cc0e8ec4ba32178d020cffa29fae755d9a8ae45df5334f891a17d7781ff50
                      • Instruction Fuzzy Hash: A1B2153091CB8A8FE359EB3884544B4BBF1FF96345F1445BED48AC72A6DB38A846C741
                      Function 00007FF848E73520 Relevance: 1.0, Instructions: 1025COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136890760.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848e70000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4ca3566349f4a64c28c9df0b5ff10e994f0f366a4efe19f5724ca0211e088435
                      • Instruction ID: e0b42c74c09362529078cac4cfed7366eb46e0ed9b8259aa509867affb28b6e7
                      • Opcode Fuzzy Hash: 4ca3566349f4a64c28c9df0b5ff10e994f0f366a4efe19f5724ca0211e088435
                      • Instruction Fuzzy Hash: BA72753190CA868FE769AB2484416B87BE1FF96350F5441BDD88ECB5D3DF38A846C784
                      Function 00007FF848E77C38 Relevance: .9, Instructions: 929COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1898 7ff848e77c38-7ff848e7c2e5 1900 7ff848e7c32f-7ff848e7c359 1898->1900 1901 7ff848e7c2e7-7ff848e7c32e 1898->1901 1903 7ff848e7c35b-7ff848e7c370 1900->1903 1904 7ff848e7c372 1900->1904 1901->1900 1906 7ff848e7c374-7ff848e7c379 1903->1906 1904->1906 1908 7ff848e7c37f-7ff848e7c38e 1906->1908 1909 7ff848e7c476-7ff848e7c496 1906->1909 1913 7ff848e7c398-7ff848e7c399 1908->1913 1914 7ff848e7c390-7ff848e7c396 1908->1914 1912 7ff848e7c4e7-7ff848e7c4f2 1909->1912 1915 7ff848e7c498-7ff848e7c49e 1912->1915 1916 7ff848e7c4f4-7ff848e7c503 1912->1916 1919 7ff848e7c39b-7ff848e7c3be 1913->1919 1914->1919 1917 7ff848e7c4a4-7ff848e7c4c5 call 7ff848e77c18 1915->1917 1918 7ff848e7c962-7ff848e7c97a 1915->1918 1925 7ff848e7c519 1916->1925 1926 7ff848e7c505-7ff848e7c517 1916->1926 1933 7ff848e7c4ca-7ff848e7c4e4 1917->1933 1927 7ff848e7c97c-7ff848e7c9a6 call 7ff848e77928 1918->1927 1928 7ff848e7c9c4-7ff848e7c9d9 call 7ff848e73518 1918->1928 1924 7ff848e7c413-7ff848e7c41e 1919->1924 1930 7ff848e7c3c0-7ff848e7c3c6 1924->1930 1931 7ff848e7c420-7ff848e7c437 1924->1931 1932 7ff848e7c51b-7ff848e7c520 1925->1932 1926->1932 1977 7ff848e7c9a7-7ff848e7c9b7 1927->1977 1957 7ff848e7c9de-7ff848e7c9f1 1928->1957 1930->1918 1934 7ff848e7c3cc-7ff848e7c410 call 7ff848e77c18 1930->1934 1949 7ff848e7c439-7ff848e7c45f call 7ff848e77c18 1931->1949 1950 7ff848e7c466-7ff848e7c471 call 7ff848e782a8 1931->1950 1935 7ff848e7c5ac-7ff848e7c5c0 1932->1935 1936 7ff848e7c526-7ff848e7c548 call 7ff848e77c18 1932->1936 1933->1912 1934->1924 1938 7ff848e7c5c2-7ff848e7c5c8 1935->1938 1939 7ff848e7c610-7ff848e7c61f 1935->1939 1968 7ff848e7c54a-7ff848e7c574 1936->1968 1969 7ff848e7c576-7ff848e7c577 1936->1969 1945 7ff848e7c5ca-7ff848e7c5e5 1938->1945 1946 7ff848e7c5e7-7ff848e7c5ff 1938->1946 1962 7ff848e7c62c 1939->1962 1963 7ff848e7c621-7ff848e7c62a 1939->1963 1945->1946 1958 7ff848e7c608-7ff848e7c60b 1946->1958 1949->1950 1950->1935 1973 7ff848e7c9fc-7ff848e7c9ff 1957->1973 1974 7ff848e7c9f3-7ff848e7c9fb 1957->1974 1966 7ff848e7c7b8-7ff848e7c7cd 1958->1966 1971 7ff848e7c62e-7ff848e7c633 1962->1971 1963->1971 1983 7ff848e7c7cf-7ff848e7c80b 1966->1983 1984 7ff848e7c80d 1966->1984 1978 7ff848e7c579-7ff848e7c580 1968->1978 1969->1978 1979 7ff848e7c93f-7ff848e7c940 1971->1979 1980 7ff848e7c639-7ff848e7c63c 1971->1980 1982 7ff848e7ca01-7ff848e7ca0b 1973->1982 1974->1973 1977->1982 1987 7ff848e7c9b9-7ff848e7c9c2 1977->1987 1978->1935 1988 7ff848e7c582-7ff848e7c5a7 call 7ff848e77c40 1978->1988 1986 7ff848e7c943-7ff848e7c94a 1979->1986 1989 7ff848e7c63e-7ff848e7c65b call 7ff848e70198 1980->1989 1990 7ff848e7c684 1980->1990 1991 7ff848e7ca0d-7ff848e7ca15 1982->1991 1992 7ff848e7ca16-7ff848e7ca27 1982->1992 1996 7ff848e7c80f-7ff848e7c814 1983->1996 1984->1996 1986->1977 2002 7ff848e7c94c-7ff848e7c952 1986->2002 1987->1928 1988->1935 2016 7ff848e7c92e-7ff848e7c93e 1988->2016 1989->1990 2024 7ff848e7c65d-7ff848e7c682 1989->2024 1995 7ff848e7c686-7ff848e7c68b 1990->1995 1991->1992 1999 7ff848e7ca29-7ff848e7ca31 1992->1999 2000 7ff848e7ca32-7ff848e7ca7f call 7ff848e79f90 1992->2000 2003 7ff848e7c78c-7ff848e7c7af 1995->2003 2004 7ff848e7c691-7ff848e7c69d 1995->2004 2005 7ff848e7c816-7ff848e7c86d call 7ff848e73450 1996->2005 2006 7ff848e7c884-7ff848e7c898 1996->2006 1999->2000 2044 7ff848e7ca91 2000->2044 2045 7ff848e7ca81-7ff848e7ca8f 2000->2045 2013 7ff848e7c953-7ff848e7c95b 2002->2013 2019 7ff848e7c7b5-7ff848e7c7b6 2003->2019 2004->1918 2014 7ff848e7c6a3-7ff848e7c6b2 2004->2014 2053 7ff848e7c86f-7ff848e7c873 2005->2053 2054 7ff848e7c8de-7ff848e7c8e3 2005->2054 2010 7ff848e7c89a-7ff848e7c8c5 call 7ff848e73450 2006->2010 2011 7ff848e7c8e7-7ff848e7c8f3 call 7ff848e76450 2006->2011 2038 7ff848e7c8ca-7ff848e7c8d2 2010->2038 2025 7ff848e7c8f4-7ff848e7c90c 2011->2025 2013->1918 2022 7ff848e7c6c5-7ff848e7c6d2 call 7ff848e70198 2014->2022 2023 7ff848e7c6b4-7ff848e7c6c3 2014->2023 2019->1966 2035 7ff848e7c6d8-7ff848e7c6de 2022->2035 2023->2035 2024->1995 2025->1918 2032 7ff848e7c90e-7ff848e7c91e 2025->2032 2037 7ff848e7c920-7ff848e7c92b 2032->2037 2041 7ff848e7c713-7ff848e7c718 2035->2041 2042 7ff848e7c6e0-7ff848e7c70d 2035->2042 2037->2016 2038->1986 2043 7ff848e7c8d4-7ff848e7c8d7 2038->2043 2041->1918 2051 7ff848e7c71e-7ff848e7c73e 2041->2051 2042->2041 2043->2013 2052 7ff848e7c8d9 2043->2052 2048 7ff848e7ca93-7ff848e7ca98 2044->2048 2045->2048 2057 7ff848e7caaf-7ff848e7cab5 2048->2057 2058 7ff848e7ca9a-7ff848e7caad call 7ff848e72440 2048->2058 2064 7ff848e7c752-7ff848e7c782 call 7ff848e784b0 2051->2064 2065 7ff848e7c740-7ff848e7c751 2051->2065 2052->2037 2056 7ff848e7c8db 2052->2056 2053->2025 2060 7ff848e7c875-7ff848e7c87f 2053->2060 2054->2011 2056->2054 2062 7ff848e7cabc-7ff848e7cac3 2057->2062 2063 7ff848e7cab7 call 7ff848e73468 2057->2063 2058->2062 2063->2062 2070 7ff848e7c787-7ff848e7c78a 2064->2070 2065->2064 2070->1966
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136890760.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848e70000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 75e945478b83878cac6c676ed67251e9f7149fea151473ca5ccff3e597e27aa1
                      • Instruction ID: b1e9a4a61e1775df60df2cc379722a6bc3a57237e484dbee1c20c15ffc3c06da
                      • Opcode Fuzzy Hash: 75e945478b83878cac6c676ed67251e9f7149fea151473ca5ccff3e597e27aa1
                      • Instruction Fuzzy Hash: BC52C330A1CA098FDBA8EA29D455A7977E1FF59341F1401BEE44EC7292DF34EC428B85
                      Function 00007FF848E77D00 Relevance: .7, Instructions: 676COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2598 7ff848e77d00-7ff848e82aea 2600 7ff848e82aec-7ff848e82b03 2598->2600 2601 7ff848e82b34-7ff848e82bd0 2598->2601 2602 7ff848e82b08-7ff848e82b0d 2600->2602 2613 7ff848e82bd2-7ff848e82bd4 2601->2613 2614 7ff848e82c41-7ff848e82c4b 2601->2614 2606 7ff848e82b0f-7ff848e82b32 2602->2606 2606->2601 2616 7ff848e82bd6 2613->2616 2617 7ff848e82c50-7ff848e82c5b 2613->2617 2615 7ff848e82c4d-7ff848e82c4e 2614->2615 2615->2617 2618 7ff848e82c1c-7ff848e82c1f 2616->2618 2619 7ff848e82bd8-7ff848e82bdc 2616->2619 2627 7ff848e82c5d-7ff848e82c5f 2617->2627 2620 7ff848e82c9b-7ff848e82ca7 2618->2620 2621 7ff848e82c21 2618->2621 2619->2615 2622 7ff848e82bde-7ff848e82be1 2619->2622 2626 7ff848e82ca8-7ff848e82cb8 2620->2626 2624 7ff848e82c67-7ff848e82c6c 2621->2624 2625 7ff848e82c23-7ff848e82c27 2621->2625 2622->2627 2628 7ff848e82be3 2622->2628 2629 7ff848e82c6d 2624->2629 2630 7ff848e82ce8-7ff848e82ce9 2624->2630 2631 7ff848e82c29-7ff848e82c2c 2625->2631 2632 7ff848e82c98-7ff848e82c99 2625->2632 2645 7ff848e82cb9-7ff848e82cc2 2626->2645 2633 7ff848e82c3e-7ff848e82c3f 2627->2633 2634 7ff848e82c60-7ff848e82c66 2627->2634 2628->2631 2635 7ff848e82be5-7ff848e82c1b 2628->2635 2636 7ff848e82cde-7ff848e82ce7 2629->2636 2637 7ff848e82c6e-7ff848e82c73 2629->2637 2639 7ff848e82cea-7ff848e82cf8 2630->2639 2631->2626 2638 7ff848e82c2e 2631->2638 2632->2620 2633->2614 2634->2624 2635->2618 2648 7ff848e82c8c-7ff848e82c96 2635->2648 2636->2630 2643 7ff848e82c74-7ff848e82c79 2637->2643 2637->2645 2638->2643 2644 7ff848e82c30-7ff848e82c3c 2638->2644 2653 7ff848e82cfa-7ff848e82cfc 2639->2653 2643->2639 2649 7ff848e82c7b-7ff848e82c7e 2643->2649 2644->2633 2646 7ff848e82d3e 2645->2646 2647 7ff848e82cc3 2645->2647 2656 7ff848e82d40-7ff848e82d42 2646->2656 2651 7ff848e82d34-7ff848e82d3d 2647->2651 2652 7ff848e82cc4-7ff848e82cc5 2647->2652 2648->2632 2649->2653 2654 7ff848e82c80 2649->2654 2651->2646 2659 7ff848e82cc6-7ff848e82cc7 2652->2659 2657 7ff848e82cfd-7ff848e82d09 2653->2657 2658 7ff848e82cdb 2653->2658 2654->2659 2660 7ff848e82c82-7ff848e82c89 2654->2660 2661 7ff848e82d43-7ff848e82d48 2656->2661 2663 7ff848e82d0a 2657->2663 2664 7ff848e82d85 2657->2664 2658->2636 2659->2661 2665 7ff848e82cc8 2659->2665 2660->2648 2662 7ff848e82d49-7ff848e82d4e 2661->2662 2667 7ff848e82d4f 2662->2667 2668 7ff848e82dca-7ff848e82dcb 2662->2668 2669 7ff848e82d7b-7ff848e82d84 2663->2669 2670 7ff848e82d0b-7ff848e82d0e 2663->2670 2672 7ff848e82d87-7ff848e82d89 2664->2672 2665->2662 2671 7ff848e82cc9 2665->2671 2673 7ff848e82d50-7ff848e82d53 2667->2673 2677 7ff848e82dcc-7ff848e82dce 2668->2677 2669->2664 2674 7ff848e82d0f 2670->2674 2675 7ff848e82d8a-7ff848e82d8f 2670->2675 2671->2674 2676 7ff848e82cca-7ff848e82ccf 2671->2676 2672->2675 2678 7ff848e82dcf 2673->2678 2679 7ff848e82d55 2673->2679 2680 7ff848e82d90-7ff848e82d95 2674->2680 2681 7ff848e82d10 2674->2681 2675->2680 2676->2656 2682 7ff848e82cd1-7ff848e82cd4 2676->2682 2677->2678 2688 7ff848e82dae-7ff848e82dc5 2678->2688 2689 7ff848e82dd0-7ff848e82ddb 2678->2689 2684 7ff848e82d9b 2679->2684 2685 7ff848e82d56-7ff848e82d5b 2679->2685 2690 7ff848e82d96 2680->2690 2691 7ff848e82e11 2680->2691 2681->2685 2686 7ff848e82d11-7ff848e82d16 2681->2686 2682->2673 2687 7ff848e82cd6 2682->2687 2694 7ff848e82e1c-7ff848e82e22 2684->2694 2695 7ff848e82d9c 2684->2695 2685->2677 2696 7ff848e82d5d-7ff848e82d60 2685->2696 2686->2672 2697 7ff848e82d18-7ff848e82d1b 2686->2697 2698 7ff848e82d1c 2687->2698 2699 7ff848e82cd8-7ff848e82cda 2687->2699 2688->2668 2701 7ff848e82ddc 2689->2701 2692 7ff848e82e07-7ff848e82e10 2690->2692 2693 7ff848e82d97-7ff848e82d9a 2690->2693 2700 7ff848e82e12 2691->2700 2692->2691 2693->2684 2702 7ff848e82e16-7ff848e82e1a 2693->2702 2703 7ff848e82e23 2694->2703 2704 7ff848e82d9d-7ff848e82da2 2695->2704 2705 7ff848e82de2 2695->2705 2696->2701 2706 7ff848e82d62 2696->2706 2697->2693 2697->2698 2698->2704 2707 7ff848e82d1d 2698->2707 2699->2658 2708 7ff848e82e13-7ff848e82e15 2700->2708 2709 7ff848e82ddd 2701->2709 2710 7ff848e82e58 2701->2710 2702->2694 2702->2700 2724 7ff848e82e29-7ff848e82e32 2703->2724 2704->2708 2715 7ff848e82da4-7ff848e82da7 2704->2715 2713 7ff848e82e63-7ff848e82e67 2705->2713 2714 7ff848e82de3 2705->2714 2716 7ff848e82da8 2706->2716 2717 7ff848e82d63-7ff848e82d7a 2706->2717 2707->2717 2718 7ff848e82d1e-7ff848e82d33 2707->2718 2708->2702 2711 7ff848e82e4e-7ff848e82e56 2709->2711 2712 7ff848e82dde-7ff848e82de1 2709->2712 2720 7ff848e82e5a 2710->2720 2712->2705 2723 7ff848e82e5d-7ff848e82e62 2712->2723 2727 7ff848e82e6a-7ff848e82f2a call 7ff848e70288 call 7ff848e759e0 2713->2727 2714->2724 2725 7ff848e82de4-7ff848e82de9 2714->2725 2715->2703 2715->2716 2716->2724 2726 7ff848e82da9 2716->2726 2717->2669 2718->2651 2720->2723 2723->2713 2728 7ff848e82e4b-7ff848e82e4c 2724->2728 2729 7ff848e82e34-7ff848e82e35 2724->2729 2725->2720 2730 7ff848e82deb-7ff848e82dee 2725->2730 2731 7ff848e82def-7ff848e82df0 2726->2731 2732 7ff848e82daa-7ff848e82dad 2726->2732 2750 7ff848e82fd3-7ff848e83024 call 7ff848e703c8 call 7ff848e75a08 2727->2750 2751 7ff848e82f30-7ff848e82f44 2727->2751 2728->2711 2734 7ff848e82e36-7ff848e82e41 2729->2734 2730->2727 2730->2731 2731->2734 2738 7ff848e82df1-7ff848e82e06 2731->2738 2732->2688 2734->2728 2740 7ff848e82e43-7ff848e82e49 2734->2740 2738->2692 2740->2728 2759 7ff848e83029-7ff848e8303c 2750->2759 2751->2750
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136890760.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848e70000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ae9a9a8d25bf9c182f432e89fa32de83999ec2af064bb99fd5ec767f0d12ae2b
                      • Instruction ID: 7654272df5fc4b6ec0717d3dab26bd34405f5e2b701739ef838435b1ecfdbc28
                      • Opcode Fuzzy Hash: ae9a9a8d25bf9c182f432e89fa32de83999ec2af064bb99fd5ec767f0d12ae2b
                      • Instruction Fuzzy Hash: AE122B31A1C98A4FE3ADE61C98165787BD1FF89351F9402BAD48DC72E3DF3868064789
                      Function 00007FF848E7AA29 Relevance: .5, Instructions: 508COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2920 7ff848e7aa29-7ff848e7aa49 2922 7ff848e7aa4b-7ff848e7aa74 2920->2922 2923 7ff848e7aa93-7ff848e7aaaa call 7ff848e76450 call 7ff848e76bb0 2920->2923 2924 7ff848e7ab3a 2922->2924 2925 7ff848e7aa7a-7ff848e7aa91 2922->2925 2923->2924 2935 7ff848e7aab0-7ff848e7aabe 2923->2935 2929 7ff848e7ab3e-7ff848e7ab4b 2924->2929 2925->2923 2931 7ff848e7ab8d-7ff848e7ab8f 2929->2931 2932 7ff848e7ab4d-7ff848e7ab5d 2929->2932 2933 7ff848e7ab76-7ff848e7ab8c 2931->2933 2934 7ff848e7ab91-7ff848e7ab99 2931->2934 2939 7ff848e7ab5f-7ff848e7ab6c 2932->2939 2933->2931 2944 7ff848e7ab9f-7ff848e7abb5 2934->2944 2945 7ff848e7adcc-7ff848e7addc 2934->2945 2937 7ff848e7ab2f-7ff848e7ab39 2935->2937 2938 7ff848e7aac0-7ff848e7aac2 2935->2938 2938->2929 2941 7ff848e7aac4 2938->2941 2942 7ff848e7ab6e-7ff848e7ab75 2939->2942 2943 7ff848e7abb6-7ff848e7abf3 call 7ff848e79f90 * 2 call 7ff848e76450 2939->2943 2947 7ff848e7ab0a-7ff848e7ab18 2941->2947 2948 7ff848e7aac6-7ff848e7aacf 2941->2948 2942->2933 2943->2945 2971 7ff848e7abf9-7ff848e7ac14 2943->2971 2944->2943 2957 7ff848e7adde-7ff848e7addf 2945->2957 2947->2924 2949 7ff848e7ab1a-7ff848e7ab26 2947->2949 2951 7ff848e7ab28-7ff848e7ab2e 2948->2951 2952 7ff848e7aad1-7ff848e7aaee 2948->2952 2949->2951 2951->2937 2952->2939 2958 7ff848e7aaf0-7ff848e7aaf5 2952->2958 2961 7ff848e7ae21-7ff848e7ae2c 2957->2961 2962 7ff848e7ade1-7ff848e7ade9 2957->2962 2958->2933 2959 7ff848e7aaf7-7ff848e7ab09 call 7ff848e767f0 2958->2959 2959->2947 2963 7ff848e7ae2e-7ff848e7ae3a 2961->2963 2964 7ff848e7ae3d-7ff848e7ae5c 2961->2964 2962->2957 2967 7ff848e7adeb-7ff848e7ae0b 2962->2967 2963->2964 2968 7ff848e7ae5e-7ff848e7ae6a 2964->2968 2969 7ff848e7ae6d-7ff848e7ae86 2964->2969 2977 7ff848e7ae0d-7ff848e7ae16 2967->2977 2978 7ff848e7ae19-7ff848e7ae1f 2967->2978 2968->2969 2973 7ff848e7ae88-7ff848e7ae93 2969->2973 2974 7ff848e7ae96-7ff848e7aeab 2969->2974 2975 7ff848e7ac6d-7ff848e7ac77 2971->2975 2976 7ff848e7ac16-7ff848e7ac19 2971->2976 2973->2974 2979 7ff848e7acef-7ff848e7acf7 2975->2979 2980 7ff848e7ac1b-7ff848e7ac3b 2976->2980 2981 7ff848e7ac9a-7ff848e7acd4 2976->2981 2977->2978 2978->2961 2983 7ff848e7acf9-7ff848e7acfe 2979->2983 2984 7ff848e7ad68-7ff848e7ad7b 2979->2984 2989 7ff848e7ac3d-7ff848e7ac6c 2980->2989 2990 7ff848e7ac79-7ff848e7ac8f 2980->2990 2981->2979 2986 7ff848e7ad7f-7ff848e7ad8b call 7ff848e73308 2983->2986 2988 7ff848e7ad00-7ff848e7ad44 call 7ff848e767f0 2983->2988 2984->2986 2995 7ff848e7ad90-7ff848e7ada0 2986->2995 2988->2945 2997 7ff848e7ad4a-7ff848e7ad67 2988->2997 2989->2975 2990->2981 2995->2945 2999 7ff848e7ada2-7ff848e7adcb 2995->2999 2997->2984
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136890760.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848e70000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0d49bb8a2fc9e81d7a1e4f284bda6add4f9759c5f6b8809a5bf779e9c604e94c
                      • Instruction ID: 062cd24f3fc53c522f0e73b2dc9e3554f4bde034a35da877e6181c21f9c3292b
                      • Opcode Fuzzy Hash: 0d49bb8a2fc9e81d7a1e4f284bda6add4f9759c5f6b8809a5bf779e9c604e94c
                      • Instruction Fuzzy Hash: D0F1673590CB864FE31DEB2884951B5B7E2FF95351F0446BED4CAC7292DB38A882C785
                      Function 00007FF848E83ACC Relevance: .2, Instructions: 197COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136890760.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848e70000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f5a7321e5c55f819b5d3fb2f6b8c267bd6169a2679158e1828dfc02030f53be2
                      • Instruction ID: 3d323330782f9a0d0d81885fc631bb95db8837957cbefec446c4b2ddd84f5aea
                      • Opcode Fuzzy Hash: f5a7321e5c55f819b5d3fb2f6b8c267bd6169a2679158e1828dfc02030f53be2
                      • Instruction Fuzzy Hash: 2A516831A0DA4D1FD71E9A3CC8561B57BE1EB82220F1982BFD48BC7197DD289C078395
                      Function 00007FF848E71FEA Relevance: 1.6, APIs: 1, Instructions: 144memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1316 7ff848e71fea-7ff848e71ff7 1317 7ff848e71ff9-7ff848e72001 1316->1317 1318 7ff848e72002-7ff848e72013 1316->1318 1317->1318 1319 7ff848e7201e-7ff848e720d9 VirtualProtect 1318->1319 1320 7ff848e72015-7ff848e7201d 1318->1320 1325 7ff848e720db 1319->1325 1326 7ff848e720e1-7ff848e72112 1319->1326 1320->1319 1325->1326
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136890760.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848e70000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: 7e19c64808b5877d70ffe073f7f8523d752a9f536bc14c732dc9d23803aaf625
                      • Instruction ID: dc07b0950520b95abaa712c2bbf45c2f75dc6e5b8ac60c484bcecd9e40ab9da4
                      • Opcode Fuzzy Hash: 7e19c64808b5877d70ffe073f7f8523d752a9f536bc14c732dc9d23803aaf625
                      • Instruction Fuzzy Hash: 0741283180D7884FD7199BA89C066E97BE0EF56321F0442AFD089C3193DF786846C796
                      Function 00007FF848E708B9 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1328 7ff848e708b9-7ff848e7094c FreeConsole 1332 7ff848e7094e 1328->1332 1333 7ff848e70954-7ff848e7097b 1328->1333 1332->1333
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136890760.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848e70000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID: ConsoleFree
                      • String ID:
                      • API String ID: 771614528-0
                      • Opcode ID: cdaab8077ced0b257361742f9c8c40cb47b197d7ab7717a6b2ffc13ef4eb007b
                      • Instruction ID: b8034b589968d1043675be973c75db6f4ca817bdc39c84888125ae553d1c8f4b
                      • Opcode Fuzzy Hash: cdaab8077ced0b257361742f9c8c40cb47b197d7ab7717a6b2ffc13ef4eb007b
                      • Instruction Fuzzy Hash: 8521B47090CB4C8FEB29EF69D845AE97BF0EF56310F04426FD089C3192D6746849CB51
                      Function 00007FF848F410C9 Relevance: .3, Instructions: 269COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2137593799.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f40000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 899752bd73cec8507766f0350b43637770910c9035b64e405c1533e180520f83
                      • Instruction ID: 984569e3573fc5d401e123aeed19264ade64ceac8a1217fc170f932e1be8aef9
                      • Opcode Fuzzy Hash: 899752bd73cec8507766f0350b43637770910c9035b64e405c1533e180520f83
                      • Instruction Fuzzy Hash: C271323190CA994FEB56EB2888595B57BE0EF66740F0901FBC04AD71E3EF28A845C395
                      Function 00007FF848F40A04 Relevance: .0, Instructions: 20COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2137593799.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ff848f40000_PO ACTUATOR JC35FA2.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2bed4ec53e7ba7a21e6b5e4e08a1396d0f9f7bb573d993e6635faee4235e7bd7
                      • Instruction ID: 538b37112ff53575ca5b13e8c96a92d7834f242a2bca2a6ae2f19867a67c4f1f
                      • Opcode Fuzzy Hash: 2bed4ec53e7ba7a21e6b5e4e08a1396d0f9f7bb573d993e6635faee4235e7bd7
                      • Instruction Fuzzy Hash: FCE01230A0462C8FEF60EB48CC81BEAB3B1FB98340F0041E6D45DA7241CB306A84CF92

                      Execution Graph

                      Execution Coverage:11.4%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:26
                      Total number of Limit Nodes:5
                      execution_graph 29417 19f0848 29418 19f084e 29417->29418 29419 19f091b 29418->29419 29422 19f148b 29418->29422 29428 19f1380 29418->29428 29424 19f1396 29422->29424 29425 19f1493 29422->29425 29423 19f1480 29423->29418 29424->29423 29427 19f148b GlobalMemoryStatusEx 29424->29427 29433 19f7090 29424->29433 29425->29418 29427->29424 29430 19f1396 29428->29430 29429 19f1480 29429->29418 29430->29429 29431 19f7090 GlobalMemoryStatusEx 29430->29431 29432 19f148b GlobalMemoryStatusEx 29430->29432 29431->29430 29432->29430 29434 19f709a 29433->29434 29435 19f70b4 29434->29435 29438 681cf87 29434->29438 29443 681cf98 29434->29443 29435->29424 29440 681cf98 29438->29440 29439 681d1c2 29439->29435 29440->29439 29441 681d5b8 GlobalMemoryStatusEx 29440->29441 29442 681d5f0 GlobalMemoryStatusEx 29440->29442 29441->29440 29442->29440 29444 681cfad 29443->29444 29445 681d1c2 29444->29445 29446 681d5b8 GlobalMemoryStatusEx 29444->29446 29447 681d5f0 GlobalMemoryStatusEx 29444->29447 29445->29435 29446->29444 29447->29444

                      Executed Functions

                      Function 019F9B38 Relevance: 3.0, Instructions: 3049COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c656430a86294a96ed6702cf9cb1d68d24be3ebda93ee797046c5babbfc09c63
                      • Instruction ID: 353dfcc422603dccd78c0148d87891cb1b6d73f5e70a7d43fc1e4e6479f24135
                      • Opcode Fuzzy Hash: c656430a86294a96ed6702cf9cb1d68d24be3ebda93ee797046c5babbfc09c63
                      • Instruction Fuzzy Hash: 97630931D10B1A9ACB51EF68C8806A9F7B1FF99300F15C79AE45D77121EB70AAD4CB81
                      Function 019FCDB0 Relevance: 2.3, Instructions: 2301COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0158111e20632d774c6267d20388194571a0790bb4e8627eb27d4ec0a2098bd1
                      • Instruction ID: 155a4084cca5c880fdadab8d8851ca193d4b9deff7cb4979b7079765256d5c62
                      • Opcode Fuzzy Hash: 0158111e20632d774c6267d20388194571a0790bb4e8627eb27d4ec0a2098bd1
                      • Instruction Fuzzy Hash: 93333F31D1071A9EDB11EF68C8806ADF7B5FF99300F15C79AE449A7221EB70AAC5CB41
                      Function 019F9378 Relevance: .6, Instructions: 613COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f7513eefa7387022f34b0147b96f5263efa2d3bae5225bddea466eeb35829483
                      • Instruction ID: 53d90b5560d4a94f49af286d37fd45a0156578384154c16eef1b985f52c71239
                      • Opcode Fuzzy Hash: f7513eefa7387022f34b0147b96f5263efa2d3bae5225bddea466eeb35829483
                      • Instruction Fuzzy Hash: 8932AE34A002099FDB14DF69D884BAEBBB6FF88315F108569EA09EB395DB30DC45CB51
                      Function 019F4A98 Relevance: .3, Instructions: 266COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aaa0b496ebc0c06f63d0b54365eb67bac9f737a494a43fa508552cef37a63400
                      • Instruction ID: c9e033d5da905f7d1be71604d7603246e65c079491dc14471234c36699eea1f1
                      • Opcode Fuzzy Hash: aaa0b496ebc0c06f63d0b54365eb67bac9f737a494a43fa508552cef37a63400
                      • Instruction Fuzzy Hash: 88B16E70E002099FDF14CFA9C9857EEBBF6AF88315F14852DD519E7294EB349885CB81
                      Function 019F3E80 Relevance: .2, Instructions: 238COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9950abf4f97014971523609a94f6d6e8c437f7d30cae258e094842400b29f69a
                      • Instruction ID: 9174af79a482797603468355c37a4e57115924676c5d18cfb5974b33c9f3362c
                      • Opcode Fuzzy Hash: 9950abf4f97014971523609a94f6d6e8c437f7d30cae258e094842400b29f69a
                      • Instruction Fuzzy Hash: 0F917D70E00209EFDF10CFA9C9857AEBBF6BF98314F14812DE519A7254EB749945CB81
                      Function 019F6ED8 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2004 19f6ed8-19f6f42 call 19f6c40 2013 19f6f5e-19f6f8c 2004->2013 2014 19f6f44-19f6f5d call 19f638c 2004->2014 2018 19f6f8e-19f6f91 2013->2018 2020 19f6fcd-19f6fd0 2018->2020 2021 19f6f93-19f6fc8 2018->2021 2022 19f6fd2 2020->2022 2023 19f6fe0-19f6fe3 2020->2023 2021->2020 2046 19f6fd2 call 19f7918 2022->2046 2047 19f6fd2 call 19f7908 2022->2047 2048 19f6fd2 call 19f80f1 2022->2048 2024 19f7016-19f7019 2023->2024 2025 19f6fe5-19f6ff9 2023->2025 2026 19f702d-19f702f 2024->2026 2027 19f701b-19f7022 2024->2027 2034 19f6fff 2025->2034 2035 19f6ffb-19f6ffd 2025->2035 2032 19f7036-19f7039 2026->2032 2033 19f7031 2026->2033 2030 19f70eb-19f70f1 2027->2030 2031 19f7028 2027->2031 2028 19f6fd8-19f6fdb 2028->2023 2031->2026 2032->2018 2036 19f703f-19f704e 2032->2036 2033->2032 2037 19f7002-19f7011 2034->2037 2035->2037 2040 19f7078-19f708d 2036->2040 2041 19f7050-19f7053 2036->2041 2037->2024 2040->2030 2043 19f705b-19f7076 2041->2043 2043->2040 2043->2041 2046->2028 2047->2028 2048->2028
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID: LR]q$LR]q
                      • API String ID: 0-3917262905
                      • Opcode ID: 8bb6c7f1b15d22fdeb762eeaac01f188f219c20e54c3c1bc7cd54b8811e5a7e4
                      • Instruction ID: a54c8133145e58246b95f344795a1291f2595c9625626f4f6a66a679b0c10a40
                      • Opcode Fuzzy Hash: 8bb6c7f1b15d22fdeb762eeaac01f188f219c20e54c3c1bc7cd54b8811e5a7e4
                      • Instruction Fuzzy Hash: 59510330A10205AFDB19DFB8C8547AEBBB6EF85300F14896DE509EB281DB759C42CB91
                      Function 0681E281 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2858 681e281-681e284 2859 681e286-681e2c6 2858->2859 2860 681e24d-681e269 2858->2860 2861 681e2ce-681e2fc GlobalMemoryStatusEx 2859->2861 2866 681e26b-681e26e 2860->2866 2867 681e26f-681e27f 2860->2867 2863 681e305-681e32d 2861->2863 2864 681e2fe-681e304 2861->2864 2864->2863
                      APIs
                      • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0681E202), ref: 0681E2EF
                      Memory Dump Source
                      • Source File: 00000006.00000002.3312249763.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_6810000_CasPol.jbxd
                      Similarity
                      • API ID: GlobalMemoryStatus
                      • String ID:
                      • API String ID: 1890195054-0
                      • Opcode ID: 0eb2c35eb40d3678760ffff728442815b207e6b836750ae316fb9cc7f6dccd14
                      • Instruction ID: 3003fc8a0eb5f22b194787017bd3087f172c185f56cbab5ee58b82573de9279b
                      • Opcode Fuzzy Hash: 0eb2c35eb40d3678760ffff728442815b207e6b836750ae316fb9cc7f6dccd14
                      • Instruction Fuzzy Hash: 5C2135B1C0021A8FDB10DFAAD5447DEBBF9EF48310F24856AE918A7240D738A944CFE5
                      Function 0681D5AC Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2871 681d5ac-681e2fc GlobalMemoryStatusEx 2874 681e305-681e32d 2871->2874 2875 681e2fe-681e304 2871->2875 2875->2874
                      APIs
                      • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0681E202), ref: 0681E2EF
                      Memory Dump Source
                      • Source File: 00000006.00000002.3312249763.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_6810000_CasPol.jbxd
                      Similarity
                      • API ID: GlobalMemoryStatus
                      • String ID:
                      • API String ID: 1890195054-0
                      • Opcode ID: 89b7d227dd9652c8e4c9837717812ee6feaa97e66632de7124187704c58899ce
                      • Instruction ID: 94b2e646a3cd2dfab47261ff50fca754f3a6b79993f9e351c9f6fa6a753ee61a
                      • Opcode Fuzzy Hash: 89b7d227dd9652c8e4c9837717812ee6feaa97e66632de7124187704c58899ce
                      • Instruction Fuzzy Hash: 6D1117B1C0065A9BDB10DF9AD5497AEFBF8EF49310F10816AE918B7240D778A944CFE1
                      Function 019FF2ED Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID: PH]q
                      • API String ID: 0-3168235125
                      • Opcode ID: 8a3c95d792c1abb94c26e98d8c7187806b3c1b48875d0079657579295f5941c3
                      • Instruction ID: d0c4a9621caa3a3d608ddbad134913514627feae59a7013c8b8e5327a279cfb1
                      • Opcode Fuzzy Hash: 8a3c95d792c1abb94c26e98d8c7187806b3c1b48875d0079657579295f5941c3
                      • Instruction Fuzzy Hash: 57311031B002019FCB1AAB38D55466E3BEAEF85790F14843CD10ADB385EE79CC06CB91
                      Function 019FF300 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID: PH]q
                      • API String ID: 0-3168235125
                      • Opcode ID: 98af59dc2c8a390ff5c2ed1dd84d4aeffbb7bc470103335302817a87f262e099
                      • Instruction ID: 500579d88b6daa84aa159635e1a03812af6ee0825318c9767460ba2998a73f63
                      • Opcode Fuzzy Hash: 98af59dc2c8a390ff5c2ed1dd84d4aeffbb7bc470103335302817a87f262e099
                      • Instruction Fuzzy Hash: 8E31FE31B002059FDB19AB38D55466E3AEBEF85790F24843CD10ADB389EE75DC06CBA5
                      Function 019F6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID: LR]q
                      • API String ID: 0-3081347316
                      • Opcode ID: a4f4f2ce27a23a77a8444e6b4869a466d0cfa784ab7c9632133700ee6472ced6
                      • Instruction ID: 5998152a169740b81565f61463d573bbb546f7ef3451dfaab427f8dcd444402e
                      • Opcode Fuzzy Hash: a4f4f2ce27a23a77a8444e6b4869a466d0cfa784ab7c9632133700ee6472ced6
                      • Instruction Fuzzy Hash: B631B534E10209EBDB19CFA8D44079EB7B6FF85301F148529E509F7240EB719942CB51
                      Function 019F6B87 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID: LR]q
                      • API String ID: 0-3081347316
                      • Opcode ID: a2b6a8b60d5958d9fd27cb432d9aa07059a229af2cabe29edd8693526a1fe305
                      • Instruction ID: e7c9c56f9f47002476c930b8295810d9cdc7e0dbad55e7aedc7e8f9e334f624d
                      • Opcode Fuzzy Hash: a2b6a8b60d5958d9fd27cb432d9aa07059a229af2cabe29edd8693526a1fe305
                      • Instruction Fuzzy Hash: CB3122316082019FC7219F3CD8647993BB6EF86310F0186AEC149CB396EF355C46CB95
                      Function 019F7908 Relevance: .6, Instructions: 551COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9ef5ed8b016883f48be4a6a39fde08e038d8042aaa6042b63cf59a644e504bc4
                      • Instruction ID: d4dfc1e445e1778ee00f913a4649a60c2ad6a9ff0498d09ab2866bec431dfb92
                      • Opcode Fuzzy Hash: 9ef5ed8b016883f48be4a6a39fde08e038d8042aaa6042b63cf59a644e504bc4
                      • Instruction Fuzzy Hash: D4123B30711103DBCB1A9A7CE99862C7BABFB89201F508A6EE105CB356DF75DC46CB91
                      Function 019F7918 Relevance: .6, Instructions: 550COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7980e625b0ee29d25578a295e70104c45b9d09dc6a6ee6459f0f1159a7fda162
                      • Instruction ID: bd9e5450c36d6948eaf8973fc319196cd1f6bfbc1335f5facb303c4ba8dad26f
                      • Opcode Fuzzy Hash: 7980e625b0ee29d25578a295e70104c45b9d09dc6a6ee6459f0f1159a7fda162
                      • Instruction Fuzzy Hash: 8D123B30711103EBCB1A9A7CE99862C7BABFB89201F508A6EE105CB355DF75DC46CB91
                      Function 019F4A8F Relevance: .3, Instructions: 258COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2e959136155876d6b50736add3066315ce43b875d7d6e8d3e83ff43e04cc36ca
                      • Instruction ID: 3b3b77a21c33b766a69e39b8c7f397a9418343421e5248599986f38bb93d8cfd
                      • Opcode Fuzzy Hash: 2e959136155876d6b50736add3066315ce43b875d7d6e8d3e83ff43e04cc36ca
                      • Instruction Fuzzy Hash: 60A16C70E0020AAFDF10CFA9C9857DEBBF5AF88315F14812DD919E7294EB749885CB81
                      Function 019F9364 Relevance: .2, Instructions: 237COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2dfb648afe6229ab675909daa5684ed507fc835c10f2dc50260c0436e5248cf
                      • Instruction ID: 87f2922596d5d3e243fc8f2fabf199308b3f9abd84e81cea06f6b00732204444
                      • Opcode Fuzzy Hash: b2dfb648afe6229ab675909daa5684ed507fc835c10f2dc50260c0436e5248cf
                      • Instruction Fuzzy Hash: 47917C34A002099FCB15DF68D984AADBBF6FF88315F148529E90AE73A4DB35DC42CB40
                      Function 019F3E74 Relevance: .2, Instructions: 235COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 417046efe2ea2a16e050261e7ab1f24fec89fa57eeb7a8f9c1302c0cecf35481
                      • Instruction ID: 845b3362fe5dd755fecb4e33eaa50df2533ab7f496ba05486de3b9df9705c738
                      • Opcode Fuzzy Hash: 417046efe2ea2a16e050261e7ab1f24fec89fa57eeb7a8f9c1302c0cecf35481
                      • Instruction Fuzzy Hash: 3F917B70E0020AEFDF10CFA9C98579EBBF6BF98314F14812DE519A7254EB749985CB81
                      Function 019F4810 Relevance: .2, Instructions: 180COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2ccccd97c8d6f5b91001a2755a57ccac7338f35b0fbe3c955bc32f6a8df59dbf
                      • Instruction ID: b92d8f2f51b902faa59dcc7e01c768929d7f94689cb53e7c1d1bf700d72b5c3d
                      • Opcode Fuzzy Hash: 2ccccd97c8d6f5b91001a2755a57ccac7338f35b0fbe3c955bc32f6a8df59dbf
                      • Instruction Fuzzy Hash: 91718BB0E00249EFDF14CFA9C88179EBBF6BF88714F14812DE519A7254EB349885CB95
                      Function 019F4804 Relevance: .2, Instructions: 179COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a93898efdd4ad9eb4f07b69477d3b630270845625e921871a7ab2aa4f4465454
                      • Instruction ID: 2301551e4127334ab93518b8d329c65609fe68c686590754170163d13ab14f7a
                      • Opcode Fuzzy Hash: a93898efdd4ad9eb4f07b69477d3b630270845625e921871a7ab2aa4f4465454
                      • Instruction Fuzzy Hash: D37178B0E00209EFDB10CFA9C88579EBBF6BF88714F148129E519A7254EB349885CF95
                      Function 019F6CDC Relevance: .1, Instructions: 134COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a79822024e0eded72e37c3b09109189c45ea7776b3291d585d718145266f3540
                      • Instruction ID: c3fa581b20d7958c1f184670901d84d220107c4763e954a1e0ea83f8cc06d22f
                      • Opcode Fuzzy Hash: a79822024e0eded72e37c3b09109189c45ea7776b3291d585d718145266f3540
                      • Instruction Fuzzy Hash: 19512271D003189FDB18CFA9C885B9DBBB5BF48314F14812DE919BB391DB74A884CB95
                      Function 019F6CE8 Relevance: .1, Instructions: 132COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ed53b4f35a03700fa43d245f768dbf12c366312a0f3fa7bf1e46efbe160fc922
                      • Instruction ID: 83a68c495d3c0ab61db31d77e37027e8062fa9ae2ddb1908bfdb50f6263414aa
                      • Opcode Fuzzy Hash: ed53b4f35a03700fa43d245f768dbf12c366312a0f3fa7bf1e46efbe160fc922
                      • Instruction Fuzzy Hash: 2F513271D003189FDB18CFA9C884B9DBBB5BF48314F14842DE91ABB391DB74A884CB95
                      Function 019F1128 Relevance: .1, Instructions: 130COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 85c255aaca40a2763428b3df74c41a6a27dcac9795a1be083f01de79d632e5d6
                      • Instruction ID: 626e3772727209ce4d09494bfc6983e4b9464abcc8ecc3f54dc4f1d2fa46d581
                      • Opcode Fuzzy Hash: 85c255aaca40a2763428b3df74c41a6a27dcac9795a1be083f01de79d632e5d6
                      • Instruction Fuzzy Hash: BC512F70212141EFCB09DF28FD91A553F6DFB59304300B9A8D0054B23AEFA96D49DB91
                      Function 019F96E0 Relevance: .1, Instructions: 118COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 32f5d927796916b1a4ac02bb8bb135278a0f0c4379e36c1d329d3801f3a38317
                      • Instruction ID: 6fb86d9a803a618cc0143b72254036fdfdd844aab5ae0e5d55f2409425154e8e
                      • Opcode Fuzzy Hash: 32f5d927796916b1a4ac02bb8bb135278a0f0c4379e36c1d329d3801f3a38317
                      • Instruction Fuzzy Hash: 47419274B002069BDF25DEADC88076F77A6FB85219F20482DE61EDB381D634DC49CB82
                      Function 019F1138 Relevance: .1, Instructions: 112COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ef6b574e6c98d39f2de167d16ea3f17f2eb1abdf71f1e3f0535e07fbb771c5c4
                      • Instruction ID: d06bedd9647e3147dbdaede976bcdadb3997b7931b66b5f4c42de1984309207a
                      • Opcode Fuzzy Hash: ef6b574e6c98d39f2de167d16ea3f17f2eb1abdf71f1e3f0535e07fbb771c5c4
                      • Instruction Fuzzy Hash: 5051E970202141AFCB09DF28FDA1A553F6DFB99304300B9A9D0455B23AEFA96D49DF92
                      Function 019F4F88 Relevance: .1, Instructions: 100COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2e9fec3f45d571b193d015668b4bfa154f679ac13f23a47b38d481bf4eff4efc
                      • Instruction ID: 0f923100cb8edceb54ce58784b938cd09d8fb55924e83ce49e8284e47cfe4971
                      • Opcode Fuzzy Hash: 2e9fec3f45d571b193d015668b4bfa154f679ac13f23a47b38d481bf4eff4efc
                      • Instruction Fuzzy Hash: 25316970A00209DFDB10DF69D4587AEBBF5EF89215F208469E20AEB360DB759C01CB91
                      Function 019FF1B0 Relevance: .1, Instructions: 95COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8220000025715d9b5ece9de25529879b7d60e6c2e68dff21e6c58eee0b8e77da
                      • Instruction ID: 982805ef11b1e5d074e2d1fdbcf8f28c640e144f3c37f0c0b653f0a48c8c0aa6
                      • Opcode Fuzzy Hash: 8220000025715d9b5ece9de25529879b7d60e6c2e68dff21e6c58eee0b8e77da
                      • Instruction Fuzzy Hash: 50316135E102069BCB15CFA9D894A9EBBB6FF89311F10851EE90AE7750DB70EC42CB40
                      Function 019F26DC Relevance: .1, Instructions: 93COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dc768a6a1ce7c56e7f67e8fa00e780fb26d86d5e0059fc9ce36855527da5853d
                      • Instruction ID: 15bf8cd2fc6803e111c8255a1c08be3deb78f8b7ef39a4e55cd87e4649e9ef7c
                      • Opcode Fuzzy Hash: dc768a6a1ce7c56e7f67e8fa00e780fb26d86d5e0059fc9ce36855527da5853d
                      • Instruction Fuzzy Hash: E541EFB0900249AFDB14CFA9C884ADEBFB5AF48310F14842AE509AB254DB35A945CB91
                      Function 019FF1C0 Relevance: .1, Instructions: 91COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 424339b5a11a88df887f862844f1a7cfdc9d0ed60acf47985f619c93c0e5685e
                      • Instruction ID: 6c95c5af8059a8a1b2144967a479b1bf497fb1726e9bf2d0ce47bd1f635c5f63
                      • Opcode Fuzzy Hash: 424339b5a11a88df887f862844f1a7cfdc9d0ed60acf47985f619c93c0e5685e
                      • Instruction Fuzzy Hash: 9A315035E102069BCB15CFA9D454A9EBBB6FF89300F10852DE90AE7750DB70EC46CB50
                      Function 019F26E8 Relevance: .1, Instructions: 90COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2bd87d2a14dd5aa68159860a00986d729849a9b8f8dea3232726c6bbfd825e55
                      • Instruction ID: da48dd09ed9dffd2dda0f05c1a6844e7c0323f169fd49f55dc7e1055e67fa233
                      • Opcode Fuzzy Hash: 2bd87d2a14dd5aa68159860a00986d729849a9b8f8dea3232726c6bbfd825e55
                      • Instruction Fuzzy Hash: 8241EDB0D00348EFDB14DFA9C584ADEBFB5FF48310F24842AE909AB254DB75A945CB90
                      Function 019F17C3 Relevance: .1, Instructions: 89COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3a8541f422a468afaa3e21b626cc4fbf8f937bc59b9bd7be949296da5886b15a
                      • Instruction ID: 912fc20804adf64e753fcf4a1b2c66b33bbd6f924f5ba7e9351906e71a921074
                      • Opcode Fuzzy Hash: 3a8541f422a468afaa3e21b626cc4fbf8f937bc59b9bd7be949296da5886b15a
                      • Instruction Fuzzy Hash: 49219E75B00201ABCB21EE78E844A5E7BADEB88215F104539EA0EC7345EB78DC85CBC1
                      Function 019F148B Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 66a359687087a21a082d7cf8fa0e419ac967dca2d040ec6124334e69174877ab
                      • Instruction ID: a6cceeb33d9893821fa6b35fe93b833fd42f418906cbfe2c9e926f77aa859c11
                      • Opcode Fuzzy Hash: 66a359687087a21a082d7cf8fa0e419ac967dca2d040ec6124334e69174877ab
                      • Instruction Fuzzy Hash: 8021F471A00215EBDF26EB7CD8543AD7BE9EB84212F14047EEA0DEB345DA35C88187D1
                      Function 019F9250 Relevance: .1, Instructions: 81COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5ef9435840b17fba0ce260ff5b7350db94777f1deff8faaee9c434c84cddbccf
                      • Instruction ID: 30c1ad0efb2de1a9e3f435860e7fe041e8c911368a7d8bfda0c8de8d8209c2d0
                      • Opcode Fuzzy Hash: 5ef9435840b17fba0ce260ff5b7350db94777f1deff8faaee9c434c84cddbccf
                      • Instruction Fuzzy Hash: 0B318475E102069BCB05CFA8D49079EFBB6FF89305F14851AE909EB350DBB19C46CB91
                      Function 019F16A0 Relevance: .1, Instructions: 81COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c8ff5fde59a1d7656744ea3cded69028e6cf578e4c9712c61e9ab43821a5c471
                      • Instruction ID: c368700fb387a1c4b307eb324f1b5d978bd0376aa2ac7634263aad90d6780bfb
                      • Opcode Fuzzy Hash: c8ff5fde59a1d7656744ea3cded69028e6cf578e4c9712c61e9ab43821a5c471
                      • Instruction Fuzzy Hash: 54219F34600101AFDF65DE28F844B59376DEB59305F106639D50ECB366EB68DC85CBD2
                      Function 019F9260 Relevance: .1, Instructions: 78COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b8dd37b33716af03cc1145a021b8b5a6d61568af6aff37726313d776fba0dd95
                      • Instruction ID: f209a4e07d87ac668e80df7607754a0b1154ecdd7cd7511f0e99e48fe0de6253
                      • Opcode Fuzzy Hash: b8dd37b33716af03cc1145a021b8b5a6d61568af6aff37726313d776fba0dd95
                      • Instruction Fuzzy Hash: 26219330E002069BCB05CFA8D48079EFBB6FF89304F148519E909EB350DBB09C46CB90
                      Function 019F9150 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ed32ad2b7f5564da280e31770955b26edf88a796a56e8b93f8c9ac979761f4c1
                      • Instruction ID: 43152f5825d804b7a32aa3d9201a28ea17c7db178e79128f5272ea458f094cc8
                      • Opcode Fuzzy Hash: ed32ad2b7f5564da280e31770955b26edf88a796a56e8b93f8c9ac979761f4c1
                      • Instruction Fuzzy Hash: C7219035E0020A9BDB19CFA4D444ADEBBB2BF89304F10862EF919F7351DB709846CB41
                      Function 016FD01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3307705948.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_16fd000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf328bb05fa29b548c27f4c418bce0060fc5e8121fcda37cfb966cea5ff4ebd1
                      • Instruction ID: 61924d3be35d909951ff6dabf0e377ddb5306220a36d63bd06dd58d14ed40efd
                      • Opcode Fuzzy Hash: bf328bb05fa29b548c27f4c418bce0060fc5e8121fcda37cfb966cea5ff4ebd1
                      • Instruction Fuzzy Hash: 4321F271604204DFDB15DF68D984F26BF65FB88354F20C56DEA0A4B396C33AE447CA62
                      Function 019F9160 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 44467f3efb40812702ce478389184bb7ffa6f040a247b23a90cad7589aabcb1f
                      • Instruction ID: 1179c2344d17d31a1fdcf6a843d66ebc9335c6d20c470f011d07e03115284ffd
                      • Opcode Fuzzy Hash: 44467f3efb40812702ce478389184bb7ffa6f040a247b23a90cad7589aabcb1f
                      • Instruction Fuzzy Hash: F8218334E0020A9BDB19CFA4D444ADEB7B6BF89314F10852EF919F7341DB709846CB51
                      Function 019F1888 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2a197501386dc2af394ded6bf5dd0136b214d551ec089f4e8f26ea61d38fd26e
                      • Instruction ID: 4284a94c7015dce10cd2bd821d13ced267de7fe09ae03690814d5e822aab979c
                      • Opcode Fuzzy Hash: 2a197501386dc2af394ded6bf5dd0136b214d551ec089f4e8f26ea61d38fd26e
                      • Instruction Fuzzy Hash: C9212A30B00205EFDB15DB78D5657AE77FAAB89245F10047CD60AEB260EB369D40CBE1
                      Function 019F187B Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4bef752556444d3349316e069939339660b4196f1e0cf86231fdcfc300bef327
                      • Instruction ID: 2225bffd836e235bb3845b765bb033c500eb54b70bb6e58e76cf783540978bef
                      • Opcode Fuzzy Hash: 4bef752556444d3349316e069939339660b4196f1e0cf86231fdcfc300bef327
                      • Instruction Fuzzy Hash: FC214C30B00245EFDB15DB78D565BAD7BF9AB49205F1004BCD60AEB260DB369D40CBE1
                      Function 019F1380 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 83f673f5dc6b4c55f10d0cc19f841d31f70bb2431d7fd28af524c5e4d48955cb
                      • Instruction ID: dcdd794086c0236353d46d47e921e3c1cda41b678eed58f4fd725caec53affe0
                      • Opcode Fuzzy Hash: 83f673f5dc6b4c55f10d0cc19f841d31f70bb2431d7fd28af524c5e4d48955cb
                      • Instruction Fuzzy Hash: E921A270600240FBDB366A28E84C7293A69E756722F10583DE61ECB785DBA9CCC4C781
                      Function 019F16B0 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fd47a4192ec27c0d38be81cf6c65e8642484a76dbebda60085ee5ba45a9b62cf
                      • Instruction ID: e4bb7df90caa75328918fd42219aa4c65f6a9368110ce3acdd49dcc627a7649e
                      • Opcode Fuzzy Hash: fd47a4192ec27c0d38be81cf6c65e8642484a76dbebda60085ee5ba45a9b62cf
                      • Instruction Fuzzy Hash: C7210E34600101AFDF65EE28F888B59376DEB49315F106639D50ECB36AEFA8DC858BD1
                      Function 019F4F98 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cd1112336fc621081d174eb02e7a68becf73e69ca92d5ac0578dfdacdc862a2c
                      • Instruction ID: cff0d49dcda41fe37981392f7dfe89548253ef58adc429484cd5ee63c2b79d0c
                      • Opcode Fuzzy Hash: cd1112336fc621081d174eb02e7a68becf73e69ca92d5ac0578dfdacdc862a2c
                      • Instruction Fuzzy Hash: 8C21FA30700205DFDB14DF78D558AAD7BF5EF89255B104468E50AEB3A4EF759D00CB91
                      Function 019F0848 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a7e9e52985276f709fae6435b9b0b8126703c6ff598478446065056b273ddd4c
                      • Instruction ID: 1b2455b8a2db40ae7ab11feb5308a6e843abc9e3b739d112057616241fda4c3a
                      • Opcode Fuzzy Hash: a7e9e52985276f709fae6435b9b0b8126703c6ff598478446065056b273ddd4c
                      • Instruction Fuzzy Hash: 3311B230B002046BDF655A7DD80472E369FEB45211F18893DE50ACB353EA66CC818BC2
                      Function 016FD006 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3307705948.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_16fd000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 969cfd739f1dacd2dd5f55382d77606a307225c8b33ce6c1078b35d2ecf53e46
                      • Instruction ID: 3127601ae05317eae2d64baf92a43a3ef48770fac6bd2f5f60423c2517f998ea
                      • Opcode Fuzzy Hash: 969cfd739f1dacd2dd5f55382d77606a307225c8b33ce6c1078b35d2ecf53e46
                      • Instruction Fuzzy Hash: AF218B755093808FDB03CF24D994B15BF71EB46214F28C5EAD9498B6A7C33A980ACB62
                      Function 019F80F1 Relevance: .1, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 97201339d34d18f0ed36fa8c7c61efc44a47b774007acc40d6cee64085a1779c
                      • Instruction ID: ce909d87585ca513fef9c6e093d482584e75018865c659be613ff0e75a0a200d
                      • Opcode Fuzzy Hash: 97201339d34d18f0ed36fa8c7c61efc44a47b774007acc40d6cee64085a1779c
                      • Instruction Fuzzy Hash: 6C117F30600206EFDB45DF68F94469D7BB9EB44305F00457AD508CB350EF759E49CB91
                      Function 019F0838 Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 24028636e84022e833fa339d9e9564a23cf29edc6625916b0b7b813b301fcf27
                      • Instruction ID: f3990736d203fcce00fedcd3e7f623070b931f39d360bba8f7eb950359464d20
                      • Opcode Fuzzy Hash: 24028636e84022e833fa339d9e9564a23cf29edc6625916b0b7b813b301fcf27
                      • Instruction Fuzzy Hash: 7E11A330A01205ABEF655A78D904769765FEB45215F188A3DE50BCB287EA66CC818BC2
                      Function 019F1498 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 77ac2c04c5ff97e7a652bc5973266784accdffcf21944833145a2582ce733519
                      • Instruction ID: 453af1a145b7f1c6a65e735860bccdd20e9ac31830405f6f1c7ebc2cf55d51a0
                      • Opcode Fuzzy Hash: 77ac2c04c5ff97e7a652bc5973266784accdffcf21944833145a2582ce733519
                      • Instruction Fuzzy Hash: 12014871A00215EFCB15EFB9885419E77F9EF88211F24047DEA09E7301D635D9418BD1
                      Function 019F9898 Relevance: .0, Instructions: 47COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 43373e78bd26694b77e7676568a5091f088340d7f95515226819239bb630dd1b
                      • Instruction ID: 197d25304429802ec94674ae5360b1e7f42ffb73f0f3ba667fc6d8866a45a67c
                      • Opcode Fuzzy Hash: 43373e78bd26694b77e7676568a5091f088340d7f95515226819239bb630dd1b
                      • Instruction Fuzzy Hash: 8F019630A001058BDB14EF59D98478ABBAAFF84311F548278D94C5F299DB70E945CB91
                      Function 019F1524 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 21694eeef1568d5e50111444c9d12b3cc989863d1692389f343ea6f5d901277c
                      • Instruction ID: 87d25bbce5ffac93422cd2aa403d9656d7ba75dcd778e093e60a60246d0b88a3
                      • Opcode Fuzzy Hash: 21694eeef1568d5e50111444c9d12b3cc989863d1692389f343ea6f5d901277c
                      • Instruction Fuzzy Hash: ADF02B77A04150EFD722CBA888945AC7F69FEA5111B2C00FFD60EDB216D735D442C791
                      Function 019F7090 Relevance: .0, Instructions: 34COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0d09bd3389921885d8b8b9f42c86f5b7626a0f58fe711851b0150cc1d19faa16
                      • Instruction ID: 1a0e17d6355867af60445fa029badebaa3caf9383dba2b3f9465e8e2e19d5ac7
                      • Opcode Fuzzy Hash: 0d09bd3389921885d8b8b9f42c86f5b7626a0f58fe711851b0150cc1d19faa16
                      • Instruction Fuzzy Hash: CCF0EC39700114DFC714DB64D598B6C77B2EF88715F5440A9E50A9B3A4DF35AD42CB41
                      Function 019F8100 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.3308273765.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_19f0000_CasPol.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 76a61d6b906c8113ae0932b61fbf524d626bbd9e64d012c480aa4ff779b80a8d
                      • Instruction ID: f5125a2a3b355669e45bc26be2fbad44f4c54f3d5c12848f8b3ba80108352e87
                      • Opcode Fuzzy Hash: 76a61d6b906c8113ae0932b61fbf524d626bbd9e64d012c480aa4ff779b80a8d
                      • Instruction Fuzzy Hash: ACF01D3094020AEFCB45EFB4F94499D7BBAEF44304F5056B9C4089B364EE756E49CB91