Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
techno POORD035338.exe

Overview

General Information

Sample name:techno POORD035338.exe
Analysis ID:1541820
MD5:3347ea2966db1b15601fd171d9d49513
SHA1:f746277e620b0f7e7f77f106a61c44a35a8fe468
SHA256:4d77def6a54990ec94ce80d0e2c5a0ee8ccb543e83f1ca7ed05987ce8454f132
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Disables UAC (registry)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • techno POORD035338.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\techno POORD035338.exe" MD5: 3347EA2966DB1B15601FD171D9D49513)
    • conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 7664 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 7680 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 7796 cmdline: C:\Windows\system32\WerFault.exe -u -p 7472 -s 1600 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3035368585.0000000002F2E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.3034290046.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.3034290046.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000004.00000002.3035368585.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.techno POORD035338.exe.16890086f08.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.techno POORD035338.exe.16890086f08.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.techno POORD035338.exe.1689004c4c0.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.techno POORD035338.exe.16890086f08.6.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.techno POORD035338.exe.1689004c4c0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\techno POORD035338.exe", ParentImage: C:\Users\user\Desktop\techno POORD035338.exe, ParentProcessId: 7472, ParentProcessName: techno POORD035338.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -Force, ProcessId: 7624, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\techno POORD035338.exe", ParentImage: C:\Users\user\Desktop\techno POORD035338.exe, ParentProcessId: 7472, ParentProcessName: techno POORD035338.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -Force, ProcessId: 7624, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 7664, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\techno POORD035338.exe", ParentImage: C:\Users\user\Desktop\techno POORD035338.exe, ParentProcessId: 7472, ParentProcessName: techno POORD035338.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -Force, ProcessId: 7624, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 4.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}
                    Multi AV Scanner detection for domain / URL
                    Source: mail.iaa-airferight.comVirustotal: Detection: 7%Perma Link
                    Source: http://mail.iaa-airferight.comVirustotal: Detection: 7%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: techno POORD035338.exeReversingLabs: Detection: 31%
                    Source: techno POORD035338.exeVirustotal: Detection: 34%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: techno POORD035338.exeJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: techno POORD035338.exe PID: 7472, type: MEMORYSTR
                    Source: techno POORD035338.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Windows.Forms.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdbq1 source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Management.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Management.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Core.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb- source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
                    Source: global trafficTCP traffic: 192.168.2.4:49731 -> 46.175.148.58:25
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: techno POORD035338.exe, 00000000.00000002.1993824416.00000168EF759000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.mic
                    Source: RegAsm.exe, 00000004.00000002.3035368585.0000000002F36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                    Source: techno POORD035338.exe, 00000000.00000002.1990925173.0000016890011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3034290046.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S
                    Source: 0.2.techno POORD035338.exe.1689004c4c0.5.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.techno POORD035338.exe.1689004c4c0.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.techno POORD035338.exe.1689004c4c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6E7C400_2_00007FFD9B6E7C40
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6E7C380_2_00007FFD9B6E7C38
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6F3ACC0_2_00007FFD9B6F3ACC
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6EAA290_2_00007FFD9B6EAA29
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6EAEB10_2_00007FFD9B6EAEB1
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6EDE490_2_00007FFD9B6EDE49
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6E35300_2_00007FFD9B6E3530
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6E35200_2_00007FFD9B6E3520
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6E7D000_2_00007FFD9B6E7D00
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B7B00680_2_00007FFD9B7B0068
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_053C93784_2_053C9378
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_053CCDB04_2_053CCDB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_053C3E804_2_053C3E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_053C9B384_2_053C9B38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_053C4A984_2_053C4A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_053C41C84_2_053C41C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_064456E04_2_064456E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06443F504_2_06443F50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0644BD084_2_0644BD08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0644DD184_2_0644DD18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06449AE84_2_06449AE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06442B004_2_06442B00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06448BA04_2_06448BA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_064400404_2_06440040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_064432504_2_06443250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_064450004_2_06445000
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7472 -s 1600
                    Source: techno POORD035338.exeStatic PE information: No import functions for PE file found
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAqofirivoqojal@ vs techno POORD035338.exe
                    Source: techno POORD035338.exe, 00000000.00000000.1756512576.00000168ED0A6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNewStb.exe4 vs techno POORD035338.exe
                    Source: techno POORD035338.exe, 00000000.00000002.1990925173.0000016890011000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs techno POORD035338.exe
                    Source: techno POORD035338.exe, 00000000.00000002.1990925173.0000016890011000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAqofirivoqojal@ vs techno POORD035338.exe
                    Source: techno POORD035338.exe, 00000000.00000002.1993824416.00000168EF759000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% ) vs techno POORD035338.exe
                    Source: techno POORD035338.exeBinary or memory string: OriginalFilenameNewStb.exe4 vs techno POORD035338.exe
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.techno POORD035338.exe.1689004c4c0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.techno POORD035338.exe.1689004c4c0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/10@1/1
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7472
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldwe3j55.2g2.ps1Jump to behavior
                    Source: techno POORD035338.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: techno POORD035338.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\techno POORD035338.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: techno POORD035338.exeReversingLabs: Detection: 31%
                    Source: techno POORD035338.exeVirustotal: Detection: 34%
                    Source: C:\Users\user\Desktop\techno POORD035338.exeFile read: C:\Users\user\Desktop\techno POORD035338.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\techno POORD035338.exe "C:\Users\user\Desktop\techno POORD035338.exe"
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7472 -s 1600
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\techno POORD035338.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: techno POORD035338.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: techno POORD035338.exeStatic file information: File size 2884127 > 1048576
                    Source: techno POORD035338.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Windows.Forms.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.ni.pdbRSDS source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdbq1 source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Management.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Management.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Core.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb- source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERC1F.tmp.dmp.8.dr
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6E3390 push ds; ret 0_2_00007FFD9B6E620F
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6E6171 push ds; ret 0_2_00007FFD9B6E620F
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6E7964 push ebx; retf 0_2_00007FFD9B6E796A
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6E17E5 push eax; retf 0_2_00007FFD9B6E181D
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B6E1690 push eax; retf 0_2_00007FFD9B6E181D
                    Source: C:\Users\user\Desktop\techno POORD035338.exeCode function: 0_2_00007FFD9B7B0068 push esp; retf 4810h0_2_00007FFD9B7B0312

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Icon mismatch, binary includes an icon from a different legit application in order to fool users
                    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (31).png
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: techno POORD035338.exe PID: 7472, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\techno POORD035338.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLP
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
                    Source: C:\Users\user\Desktop\techno POORD035338.exeMemory allocated: 168EEBC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeMemory allocated: 168EED90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2E90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2EE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4EE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sysJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sysJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeFile opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sysJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6357Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3296Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 6622Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 3225Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep count: 32 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7940Thread sleep count: 6622 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -99890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7940Thread sleep count: 3225 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -99780s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -99671s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -99561s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -99453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -99344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -99234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -99124s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -99015s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -98896s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -98766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -98641s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -98531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -98422s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -98312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -98203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -98094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -97984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -97875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -97765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -97656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -97547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -97437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -97328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -97213s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -97094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -96974s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -96841s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -96719s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -96609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -96485s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -96353s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -96101s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -95984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -95875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -95765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -95656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -95547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -95437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -95328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -95219s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -95109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -95000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -94891s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -94781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -94672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -94562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -94453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -94343s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -94234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7932Thread sleep time: -94125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99780Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99561Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98896Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97213Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96974Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96841Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96353Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96101Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94125Jump to behavior
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUP
                    Source: Amcache.hve.8.drBinary or memory string: VMware
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
                    Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREP
                    Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareP
                    Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
                    Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIP
                    Source: RegAsm.exe, 00000004.00000002.3039217057.0000000006233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
                    Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: techno POORD035338.exe, 00000000.00000002.1990364764.0000016880079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: techno POORD035338.exe, .csReference to suspicious API methods: GetProcAddress(, )
                    Source: techno POORD035338.exe, .csReference to suspicious API methods: LoadLibrary("kernel32.dll")
                    Source: techno POORD035338.exe, .csReference to suspicious API methods: GetProcAddress(, "VirtualProtect")
                    Source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, zOS.csReference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -Force
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -ForceJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\techno POORD035338.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\techno POORD035338.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F14008Jump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeQueries volume information: C:\Users\user\Desktop\techno POORD035338.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\techno POORD035338.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Disables UAC (registry)
                    Source: C:\Users\user\Desktop\techno POORD035338.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                    Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.techno POORD035338.exe.16890086f08.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.techno POORD035338.exe.1689004c4c0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.techno POORD035338.exe.1689004c4c0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.3035368585.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3034290046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3035368585.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1990925173.0000016890011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: techno POORD035338.exe PID: 7472, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7664, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.techno POORD035338.exe.16890086f08.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.techno POORD035338.exe.1689004c4c0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.techno POORD035338.exe.1689004c4c0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.3034290046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3035368585.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1990925173.0000016890011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: techno POORD035338.exe PID: 7472, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7664, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.techno POORD035338.exe.16890086f08.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.techno POORD035338.exe.1689004c4c0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.techno POORD035338.exe.16890086f08.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.techno POORD035338.exe.1689004c4c0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.3035368585.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3034290046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3035368585.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1990925173.0000016890011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: techno POORD035338.exe PID: 7472, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7664, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		341
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		21
                    Disable or Modify Tools                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)261
                    Virtualization/Sandbox Evasion                    		1
                    Credentials in Registry                    		261
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		11
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook211
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		Protocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain Credentials24
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    techno POORD035338.exe32%ReversingLabsWin64.Trojan.GenSteal
                    techno POORD035338.exe34%VirustotalBrowse
                    techno POORD035338.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.iaa-airferight.com7%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://mail.iaa-airferight.com7%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://upx.sf.netAmcache.hve.8.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://account.dyn.com/techno POORD035338.exe, 00000000.00000002.1990925173.0000016890011000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3034290046.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://go.mictechno POORD035338.exe, 00000000.00000002.1993824416.00000168EF759000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://mail.iaa-airferight.comRegAsm.exe, 00000004.00000002.3035368585.0000000002F36000.00000004.00000800.00020000.00000000.sdmptrueunknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      46.175.148.58
                      		mail.iaa-airferight.comUkraine
                      		56394ASLAGIDKOM-NETUAtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1541820
                      Start date and time:2024-10-25 07:51:23 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 5m 49s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:13
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:techno POORD035338.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.expl.evad.winEXE@10/10@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 86%
                      • Number of executed functions: 64
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 20.189.173.21
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      01:52:31API Interceptor180x Sleep call for process: RegAsm.exe modified
                      01:52:31API Interceptor13x Sleep call for process: powershell.exe modified
                      01:52:46API Interceptor1x Sleep call for process: WerFault.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      46.175.148.58New Cmr JV2410180005.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                        PO F1298-24 Fabric Order.exeGet hashmaliciousAgentTeslaBrowse
                          PO F1298-24 Fabric Order.zipGet hashmaliciousAgentTeslaBrowse
                            PO 316347 24MIA00660067.exeGet hashmaliciousAgentTeslaBrowse
                              Purchase Order For Linear Actuator.exeGet hashmaliciousAgentTeslaBrowse
                                PO FOR CONNECTOR WITH TERMINAL.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                  New PO-Auras Demand.exeGet hashmaliciousAgentTeslaBrowse
                                    SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exeGet hashmaliciousAgentTeslaBrowse
                                      New Purchase Order 568330.exeGet hashmaliciousAgentTeslaBrowse
                                        SecuriteInfo.com.Win32.PWSX-gen.20380.30925.exeGet hashmaliciousAgentTeslaBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          mail.iaa-airferight.comNew Cmr JV2410180005.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                          • 46.175.148.58
                                          PO F1298-24 Fabric Order.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          PO F1298-24 Fabric Order.zipGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          PO 316347 24MIA00660067.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          Purchase Order For Linear Actuator.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          PO FOR CONNECTOR WITH TERMINAL.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                          • 46.175.148.58
                                          New PO-Auras Demand.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          New Purchase Order 568330.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          SecuriteInfo.com.Win32.PWSX-gen.20380.30925.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ASLAGIDKOM-NETUANew Cmr JV2410180005.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                          • 46.175.148.58
                                          PO F1298-24 Fabric Order.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          PO F1298-24 Fabric Order.zipGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          PO 316347 24MIA00660067.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          Purchase Order For Linear Actuator.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          PO FOR CONNECTOR WITH TERMINAL.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                          • 46.175.148.58
                                          New PO-Auras Demand.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          New Purchase Order 568330.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          SecuriteInfo.com.Win32.PWSX-gen.20380.30925.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_techno POORD0353_737df471f3d4707e2576043dad1822d6d9fb458_8d646ceb_696b2f17-e9eb-4dec-987d-5eb09c41ff94\Report.wer

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65536
                                          Entropy (8bit):1.2320137305636618
                                          Encrypted:false
                                          SSDEEP:192:fm146OT50UnUVaWBHhQ83mWdzuiFlZ24lO8v:uqruUnUVamHhYCzuiFlY4lO8v
                                          MD5:B96AD9616596F101CB0CBDAC6DB6746C
                                          SHA1:7C7039AF9827BAF20B483719DA14B379089318B7
                                          SHA-256:FEF3B7DD2AB98F463C930DCD932C83F29497BE70FAEEA46C65CCDFE195CFB9BE
                                          SHA-512:A37D3DBE396C31FC554F78DD7E4339C4840E3907E3CB7B0B1EDB800679C8EE1CA2E6363C7C6C4A42398DFD24C78B339B39BD2BD32DD4B63B6B7676F2E065782A
                                          Malicious:false
                                          Reputation:low
                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.0.9.1.5.0.2.2.6.2.4.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.0.9.1.5.1.1.9.4.9.9.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.9.6.b.2.f.1.7.-.e.9.e.b.-.4.d.e.c.-.9.8.7.d.-.5.e.b.0.9.c.4.1.f.f.9.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.d.a.f.d.b.2.-.a.e.f.6.-.4.3.f.1.-.b.3.8.8.-.b.8.5.a.4.7.e.9.0.e.4.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.t.e.c.h.n.o. .P.O.O.R.D.0.3.5.3.3.8...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.N.e.w.S.t.b...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.3.0.-.0.0.0.1.-.0.0.1.4.-.d.c.6.5.-.3.b.1.0.a.2.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.3.2.d.3.b.b.9.6.6.c.3.6.5.f.d.0.f.4.d.1.4.0.c.2.d.7.2.d.5.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.7.4.6.2.7.7.e.6.2.0.b.0.f.7.e.7.f.7.7.f.1.0.6.a.6.1.c.4.4.a.3.5.a.8.f.e.4.6.8.!.t.e.c.h.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1F.tmp.dmp

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:Mini DuMP crash report, 16 streams, Fri Oct 25 05:52:30 2024, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):478512
                                          Entropy (8bit):3.294393591188427
                                          Encrypted:false
                                          SSDEEP:3072:YXucqIscSckIQ/yeWH2lS4JjKkucSeP41CCq7T3+v6FGbkJmZQb06:Yeu0cbTUjgRq7T3Q/A8ZQB
                                          MD5:524B16C76C3F2FB599BE8E272F478857
                                          SHA1:F277E0B188F8F69BAB10B0C2E03998EC009D91E9
                                          SHA-256:E3267E36A3EB3C2AD50D38406E901C2706B7B0DEE6BCFBD6291DFCC92758B586
                                          SHA-512:8066818DE71479543930A2F3FA3043F1E6C97EFD3C84A89E48D70513BA49EE56E310337A48E7CD21FF78754504E9D5D971DFAD49E732BC76E5BA8911475E886D
                                          Malicious:false
                                          Preview:MDMP..a..... ........2.g............t...........<...........$....(......$ ...(.......O..............l.......8...........T...........`<...............I...........K..............................................................................eJ.......K......Lw......................T.......0....2.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB0.tmp.WERInternalMetadata.xml

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8640
                                          Entropy (8bit):3.7113775546115653
                                          Encrypted:false
                                          SSDEEP:192:R6l7wVeJM+ZD/1e6Y9Qljigmf66Jhprn89bh/Ef1Lm:R6lXJtZDU6YalGgmf6ikh8fU
                                          MD5:A4425F71893D59D56A0A8165C51411F4
                                          SHA1:9C08F31B32F40F2EFFD9EF00DF5A8EE4CD1A37DE
                                          SHA-256:CB678CEE2DF74702501E4967F2E48F4877E1B9BF220D757D3BA2F51F0FAC2A70
                                          SHA-512:81350FAF7974E1AE5526151868BF616A4D1855C4F05C47F79AB215877D448697E5332B6B7CF361D6CB548FC9E6BD389B5D683F2695AA7F7654B8A2F74AB91CED
                                          Malicious:false
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.7.2.<./.P.i.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE0.tmp.xml

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4799
                                          Entropy (8bit):4.535025259167301
                                          Encrypted:false
                                          SSDEEP:48:cvIwWl8zsDJg771I9FKWpW8VYAoYm8M4JDiQtAFbyq85vG+vRcKWvPWZd:uIjfdI7Gr7VPFJVk9YRuvuZd
                                          MD5:01910EDB383093277980AFB92CC21BE6
                                          SHA1:7748389175724693393B28F2B00F63DF881604AC
                                          SHA-256:537772E76857E8D61CC73DC0B45BC2F648AA8241B04DF40819CE2F14FB111B2A
                                          SHA-512:A84E50C6D77D02E630BE0C9DBA1D20BC3C1ED9E98E10DF0983D9FB3B6BC587DB84C41022B6BBBDFB09FE893838F93DF645F1216CFFEB0B59BF785BD929892944
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="558535" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):64
                                          Entropy (8bit):1.1940658735648508
                                          Encrypted:false
                                          SSDEEP:3:NlllulxmH/lZ:NllUg
                                          MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                          SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                          SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                          SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                          Malicious:false
                                          Preview:@...e................................. ..............@..........

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hf0vdf5i.0ea.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldwe3j55.2g2.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnw0gpsf.iix.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xoltasl4.53i.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Windows\appcompat\Programs\Amcache.hve

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:MS Windows registry file, NT/2000 or above
                                          Category:dropped
                                          Size (bytes):1835008
                                          Entropy (8bit):4.465641028969415
                                          Encrypted:false
                                          SSDEEP:6144:1IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNEdwBCswSbF:2XD94+WlLZMM6YFHm+F
                                          MD5:C0839D6E84E788A35FD9385B55627D91
                                          SHA1:163EBF759F848A64DC58664BCB099E38457DCB9E
                                          SHA-256:86CCB6DE1676435957875BBB1A4DB3A5A0649FB0F49BDB6CB7BE73B1BCAA9CA7
                                          SHA-512:DC4B25C800B8DE6C193D5196F14B199AF763D4658E8023C7C5F55790AAA4A9A4C830170918985086B1250E6E317196E50216677C81D8279AAF79A83EC4F14EA1
                                          Malicious:false
                                          Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmz....&..............................................................................................................................................................................................................................................................................................................................................~}. ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):4.881096315042891
                                          TrID:
                                          • Win64 Executable Console Net Framework (206006/5) 48.58%
                                          • Win64 Executable Console (202006/5) 47.64%
                                          • Win64 Executable (generic) (12005/4) 2.83%
                                          • Generic Win/DOS Executable (2004/3) 0.47%
                                          • DOS Executable Generic (2002/1) 0.47%
                                          File name:techno POORD035338.exe
                                          File size:2'884'127 bytes
                                          MD5:3347ea2966db1b15601fd171d9d49513
                                          SHA1:f746277e620b0f7e7f77f106a61c44a35a8fe468
                                          SHA256:4d77def6a54990ec94ce80d0e2c5a0ee8ccb543e83f1ca7ed05987ce8454f132
                                          SHA512:f215d758bcc125da90eb91984e6a167eac347aac4b1a5ddbe39144777f449d4f0e526d46234f40c366bc9fcba381840065f12b0f2f16314d167f80edcf225ec7
                                          SSDEEP:12288:I1P7r9r/+ppppppppppppppppppppppppppppp0GhkO8M5n6PgxCzjPvdaSKD7yN:e1qhL8E6PQgPvdRvOKUxK/IqnY8
                                          TLSH:DDD5CE80B5475D93FC185630E5E6B8F442FE6DAB78F4901FDF993D262ABA2BE0011076
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....u.g.........."...0.B%...N........... ....@...... ..............................JG,...`................................

                                          File Icon

                                          Icon Hash:c5a684988c94a0c5

                                          Static PE Info

                                          General

                                          Entrypoint:0x400000
                                          Entrypoint Section:
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows cui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x671A75BC [Thu Oct 24 16:28:44 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:

                                          Entrypoint Preview

                                          Instruction
                                          dec ebp
                                          pop edx
                                          nop
                                          add byte ptr [ebx], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax+eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x34f0e.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x25420x2600924a65bc7072deba44f9f53764ed7e35False0.5804893092105263data5.723115991470882IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0x60000x34f0e0x35000e5570df57bd337d747d19d636137004cFalse0.20985959610849056data4.437155550708701IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0x64740x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.3225609756097561
                                          RT_ICON0x6adc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.43951612903225806
                                          RT_ICON0x6dc40x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.4016393442622951
                                          RT_ICON0x6fac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.4831081081081081
                                          RT_ICON0x70d40x35e0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9907192575406032
                                          RT_ICON0xa6b40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.4584221748400853
                                          RT_ICON0xb55c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.47382671480144406
                                          RT_ICON0xbe040x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.45564516129032256
                                          RT_ICON0xc4cc0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.3504335260115607
                                          RT_ICON0xca340x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.07868508221933042
                                          RT_ICON0x1d25c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.15114568005045195
                                          RT_ICON0x267040x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.1543233082706767
                                          RT_ICON0x2ceec0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.175184842883549
                                          RT_ICON0x323740x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15948275862068967
                                          RT_ICON0x3659c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.24107883817427386
                                          RT_ICON0x38b440x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.2678236397748593
                                          RT_ICON0x39bec0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.37459016393442623
                                          RT_ICON0x3a5740x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.42819148936170215
                                          RT_GROUP_ICON0x3a9dc0x102data0.6046511627906976
                                          RT_VERSION0x3aae00x244data0.46379310344827585
                                          RT_MANIFEST0x3ad240x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 25, 2024 07:52:31.930917978 CEST4973125192.168.2.446.175.148.58
                                          Oct 25, 2024 07:52:32.929378986 CEST4973125192.168.2.446.175.148.58
                                          Oct 25, 2024 07:52:34.929373980 CEST4973125192.168.2.446.175.148.58
                                          Oct 25, 2024 07:52:38.929393053 CEST4973125192.168.2.446.175.148.58
                                          Oct 25, 2024 07:52:46.929408073 CEST4973125192.168.2.446.175.148.58

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 25, 2024 07:52:31.856028080 CEST6325853192.168.2.41.1.1.1
                                          Oct 25, 2024 07:52:31.889775991 CEST53632581.1.1.1192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Oct 25, 2024 07:52:31.856028080 CEST192.168.2.41.1.1.10x43b2Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Oct 25, 2024 07:52:31.889775991 CEST1.1.1.1192.168.2.40x43b2No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:01:52:23
                                          Start date:25/10/2024
                                          Path:C:\Users\user\Desktop\techno POORD035338.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\techno POORD035338.exe"
                                          Imagebase:0x168ed0a0000
                                          File size:2'884'127 bytes
                                          MD5 hash:3347EA2966DB1B15601FD171D9D49513
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1990364764.0000016880371000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1990925173.0000016890011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1990925173.0000016890011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:01:52:23
                                          Start date:25/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:01:52:28
                                          Start date:25/10/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\techno POORD035338.exe" -Force
                                          Imagebase:0x7ff788560000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:01:52:28
                                          Start date:25/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:01:52:28
                                          Start date:25/10/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                          Imagebase:0xc20000
                                          File size:65'440 bytes
                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3035368585.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3034290046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3034290046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3035368585.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3035368585.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:5
                                          Start time:01:52:28
                                          Start date:25/10/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                          Imagebase:0x120000
                                          File size:65'440 bytes
                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:01:52:29
                                          Start date:25/10/2024
                                          Path:C:\Windows\System32\WerFault.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7472 -s 1600
                                          Imagebase:0x7ff72b030000
                                          File size:570'736 bytes
                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:9.3%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:6
                                            Total number of Limit Nodes:0
                                            execution_graph 17503 7ffd9b6e1fea 17504 7ffd9b6e1ff9 VirtualProtect 17503->17504 17506 7ffd9b6e20db 17504->17506 17499 7ffd9b6e08b9 17500 7ffd9b6e08cf FreeConsole 17499->17500 17502 7ffd9b6e094e 17500->17502

                                            Executed Functions

                                            Function 00007FFD9B7B0068 Relevance: 3.6, Strings: 1, Instructions: 2345COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 7ffd9b7b0068-7ffd9b7b0096 3 7ffd9b7b0097 0->3 4 7ffd9b7b0098-7ffd9b7b009c 0->4 3->4 5 7ffd9b7b00b0-7ffd9b7b00b6 4->5 6 7ffd9b7b009e-7ffd9b7b00af 4->6 8 7ffd9b7b00c7-7ffd9b7b00fa 5->8 9 7ffd9b7b00b8-7ffd9b7b00c6 5->9 6->5 8->3 11 7ffd9b7b00fc-7ffd9b7b0146 8->11 15 7ffd9b7b0147 11->15 16 7ffd9b7b0148-7ffd9b7b014c 11->16 15->16 17 7ffd9b7b0160-7ffd9b7b0168 16->17 18 7ffd9b7b014e-7ffd9b7b015d 16->18 20 7ffd9b7b0179-7ffd9b7b01aa 17->20 21 7ffd9b7b016a-7ffd9b7b0178 17->21 18->17 20->15 23 7ffd9b7b01ac-7ffd9b7b01bc 20->23 25 7ffd9b7b01bf-7ffd9b7b01ec 23->25 26 7ffd9b7b01be 23->26 29 7ffd9b7b0236 25->29 30 7ffd9b7b01ee-7ffd9b7b0222 25->30 26->25 33 7ffd9b7b0237-7ffd9b7b023b 29->33 31 7ffd9b7b0228-7ffd9b7b0235 30->31 32 7ffd9b7b03b1-7ffd9b7b03b7 30->32 31->29 37 7ffd9b7b03b9-7ffd9b7b03c8 32->37 33->32 34 7ffd9b7b023c-7ffd9b7b024e 33->34 36 7ffd9b7b024f-7ffd9b7b026d 34->36 36->32 40 7ffd9b7b0273-7ffd9b7b027c 36->40 39 7ffd9b7b03c9-7ffd9b7b0427 37->39 44 7ffd9b7b045c-7ffd9b7b0474 39->44 45 7ffd9b7b0429-7ffd9b7b0440 39->45 43 7ffd9b7b0284-7ffd9b7b0286 40->43 46 7ffd9b7b02f7-7ffd9b7b0306 43->46 47 7ffd9b7b0288-7ffd9b7b0289 43->47 50 7ffd9b7b04b1-7ffd9b7b04d0 45->50 51 7ffd9b7b0442-7ffd9b7b045a 45->51 49 7ffd9b7b0307-7ffd9b7b0309 46->49 47->36 52 7ffd9b7b028b 47->52 49->32 54 7ffd9b7b030a-7ffd9b7b0348 49->54 60 7ffd9b7b04d1-7ffd9b7b04da 50->60 51->44 51->60 52->49 56 7ffd9b7b028d 52->56 54->37 79 7ffd9b7b034a-7ffd9b7b034d 54->79 58 7ffd9b7b028f-7ffd9b7b02a0 56->58 59 7ffd9b7b02d4 56->59 58->33 65 7ffd9b7b02a2-7ffd9b7b02b8 58->65 59->32 62 7ffd9b7b02da-7ffd9b7b02f5 59->62 67 7ffd9b7b0477-7ffd9b7b04af 60->67 68 7ffd9b7b04dc-7ffd9b7b04e7 60->68 62->46 65->32 69 7ffd9b7b02be-7ffd9b7b02d1 65->69 67->50 74 7ffd9b7b051c-7ffd9b7b0534 68->74 75 7ffd9b7b04e9-7ffd9b7b051a 68->75 69->59 75->74 79->39 80 7ffd9b7b034f 79->80 83 7ffd9b7b0396-7ffd9b7b03b0 80->83 84 7ffd9b7b0351-7ffd9b7b035f 80->84 84->83
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994941216.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b7b0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: *Zn
                                            • API String ID: 0-3399236210
                                            • Opcode ID: 6cf0bc60b6e93182fcb16ead3bfa215203544bebba7857fa87cdcfbf77bfcf55
                                            • Instruction ID: 1cdbce9dd2bf098d4479c91f3cffae441fba99c5b46c48db2c5702c2f18c70ac
                                            • Opcode Fuzzy Hash: 6cf0bc60b6e93182fcb16ead3bfa215203544bebba7857fa87cdcfbf77bfcf55
                                            • Instruction Fuzzy Hash: 4EE23B72A0E7D94FEB66DB6888655A47BE0EF56300F1A02FED089CB0B3DA146D45CF41
                                            Function 00007FFD9B6E7C40 Relevance: 2.8, Strings: 1, Instructions: 1505COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994631451.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b6e0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: :O_
                                            • API String ID: 0-702398431
                                            • Opcode ID: 9c409bcb9286bef702a1bb79b4c215c181cbc6c4b99a89a9ef11025b88826fa3
                                            • Instruction ID: 634d4cbc3f6e2c4cbbd3b6802596b0e945ab01a91ad1d228364a5e57986b7d00
                                            • Opcode Fuzzy Hash: 9c409bcb9286bef702a1bb79b4c215c181cbc6c4b99a89a9ef11025b88826fa3
                                            • Instruction Fuzzy Hash: C0B2E531B09A4E8FEBA8DF58D4A5AB877E1FF55300F1500B9D05ECB2A2DE24BD418B41
                                            Function 00007FFD9B6E3530 Relevance: 1.8, Strings: 1, Instructions: 550COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 390 7ffd9b6e3530-7ffd9b6e3542 393 7ffd9b6e3544-7ffd9b6e35a6 390->393 394 7ffd9b6e34df-7ffd9b6e34ee 390->394 402 7ffd9b6e35a7-7ffd9b6e360a 393->402 408 7ffd9b6e360c-7ffd9b6e364e 402->408 410 7ffd9b6e38c6-7ffd9b6e38f9 408->410 411 7ffd9b6e3654-7ffd9b6e36a3 408->411 418 7ffd9b6e38fb-7ffd9b6e3902 410->418 419 7ffd9b6e3903-7ffd9b6e3908 410->419 426 7ffd9b6e36a5-7ffd9b6e36b5 411->426 418->419 421 7ffd9b6e3909-7ffd9b6e390a 419->421 422 7ffd9b6e38b0-7ffd9b6e38c5 419->422 423 7ffd9b6e390c-7ffd9b6e3916 421->423 424 7ffd9b6e38a7-7ffd9b6e38c5 421->424 429 7ffd9b6e3917-7ffd9b6e391e 423->429 438 7ffd9b6e36b7-7ffd9b6e36e0 call 7ffd9b6e2508 426->438 431 7ffd9b6e3952-7ffd9b6e397a 429->431 432 7ffd9b6e3920-7ffd9b6e3922 429->432 431->429 445 7ffd9b6e397c-7ffd9b6e3981 431->445 434 7ffd9b6e392c-7ffd9b6e3932 432->434 435 7ffd9b6e3924-7ffd9b6e3927 call 7ffd9b6e25d8 432->435 436 7ffd9b6e3941-7ffd9b6e3951 434->436 437 7ffd9b6e3934-7ffd9b6e393f 434->437 435->434 437->436 450 7ffd9b6e3742-7ffd9b6e3755 438->450 447 7ffd9b6e3984-7ffd9b6e39ba 445->447 447->447 449 7ffd9b6e39bc 447->449 451 7ffd9b6e3757-7ffd9b6e3759 450->451 452 7ffd9b6e36e2-7ffd9b6e3740 call 7ffd9b6e32f0 * 2 call 7ffd9b6e32f8 450->452 454 7ffd9b6e37b2-7ffd9b6e37c5 451->454 452->450 456 7ffd9b6e375b-7ffd9b6e37b0 call 7ffd9b6e32f0 * 2 call 7ffd9b6e0218 454->456 457 7ffd9b6e37c7-7ffd9b6e37c9 454->457 456->454 460 7ffd9b6e386e-7ffd9b6e3881 457->460 463 7ffd9b6e3887-7ffd9b6e38a6 460->463 464 7ffd9b6e37ce-7ffd9b6e3800 call 7ffd9b6e32f0 460->464 463->424 472 7ffd9b6e381a-7ffd9b6e381b 464->472 473 7ffd9b6e3802-7ffd9b6e3818 464->473 476 7ffd9b6e381d-7ffd9b6e3867 call 7ffd9b6e0860 call 7ffd9b6e25e0 472->476 473->476 485 7ffd9b6e386c 476->485 485->460
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994631451.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b6e0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: fish
                                            • API String ID: 0-1064584243
                                            • Opcode ID: c06781ab0a11bc10e12214a0bfc830d569c4fb8913fbf6b4f9921e0fb0496a8e
                                            • Instruction ID: c2ab6e4d0d9c4a9f7f26c6b813926cf28c766c83b493a422da0099f06f0b61d2
                                            • Opcode Fuzzy Hash: c06781ab0a11bc10e12214a0bfc830d569c4fb8913fbf6b4f9921e0fb0496a8e
                                            • Instruction Fuzzy Hash: 00E18D31B1DA4E0FE72DAB6898755B577E1EF95310B0541BEE09ACB2E3ED14BD028381
                                            Function 00007FFD9B6EDE49 Relevance: 1.7, Instructions: 1708COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994631451.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b6e0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6d8c236a3e1c2307045198e314e7fcf63d15e9e9da4610a702cbd6768b863bb9
                                            • Instruction ID: e55e091247524c48384a1bf516c49deafd00e336150e2c6d8864326375e40a78
                                            • Opcode Fuzzy Hash: 6d8c236a3e1c2307045198e314e7fcf63d15e9e9da4610a702cbd6768b863bb9
                                            • Instruction Fuzzy Hash: 1AC2753070DB494FD368DB2884A04B5B7E2FF85301B1545BEE49ACB2A6DE34F956C781
                                            Function 00007FFD9B6EAEB1 Relevance: 1.7, Instructions: 1695COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994631451.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b6e0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 15b336bc6c1968d41568a8bddbe1dfb49799ea2a795a9139cee6d07b0a2ee577
                                            • Instruction ID: 892e1e31ba3ad31ae75b629f5fdb86a940ecce2a37bbadc96d4d9ca78a7e6c9e
                                            • Opcode Fuzzy Hash: 15b336bc6c1968d41568a8bddbe1dfb49799ea2a795a9139cee6d07b0a2ee577
                                            • Instruction Fuzzy Hash: 01B24B3160E78A4FD729CB64C4A04A47BF1FF96300B1945BED09ACB2B7DA38B956C741
                                            Function 00007FFD9B6E3520 Relevance: 1.0, Instructions: 1029COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994631451.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b6e0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 75c2947d987e6fefb8b481d02607983d5f1354fef8d60ee3ff08968205a9ea84
                                            • Instruction ID: 8ed1561f499d9c073ab7779d0b2facea53fc3453b9d9ab80343b7096a41b30c6
                                            • Opcode Fuzzy Hash: 75c2947d987e6fefb8b481d02607983d5f1354fef8d60ee3ff08968205a9ea84
                                            • Instruction Fuzzy Hash: 7A727631B0E68A4FE7298B5884616B47BE1EF91310F0541BDD4AECF5E3DE28B946C780
                                            Function 00007FFD9B6E7C38 Relevance: .9, Instructions: 926COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1630 7ffd9b6e7c38-7ffd9b6ec2e5 1632 7ffd9b6ec2e7-7ffd9b6ec32e 1630->1632 1633 7ffd9b6ec32f-7ffd9b6ec359 1630->1633 1632->1633 1636 7ffd9b6ec35b-7ffd9b6ec370 1633->1636 1637 7ffd9b6ec372 1633->1637 1638 7ffd9b6ec374-7ffd9b6ec379 1636->1638 1637->1638 1640 7ffd9b6ec476-7ffd9b6ec496 1638->1640 1641 7ffd9b6ec37f-7ffd9b6ec38e 1638->1641 1643 7ffd9b6ec4e7-7ffd9b6ec4f2 1640->1643 1647 7ffd9b6ec398-7ffd9b6ec399 1641->1647 1648 7ffd9b6ec390-7ffd9b6ec396 1641->1648 1645 7ffd9b6ec498-7ffd9b6ec49e 1643->1645 1646 7ffd9b6ec4f4-7ffd9b6ec503 1643->1646 1649 7ffd9b6ec4a4-7ffd9b6ec4c5 call 7ffd9b6e7c18 1645->1649 1650 7ffd9b6ec962-7ffd9b6ec97a 1645->1650 1655 7ffd9b6ec519 1646->1655 1656 7ffd9b6ec505-7ffd9b6ec517 1646->1656 1651 7ffd9b6ec39b-7ffd9b6ec3be 1647->1651 1648->1651 1668 7ffd9b6ec4ca-7ffd9b6ec4e4 1649->1668 1662 7ffd9b6ec97c-7ffd9b6ec9a6 call 7ffd9b6e7928 1650->1662 1663 7ffd9b6ec9c4-7ffd9b6ec9d9 call 7ffd9b6e3518 1650->1663 1654 7ffd9b6ec413-7ffd9b6ec41e 1651->1654 1660 7ffd9b6ec3c0-7ffd9b6ec3c6 1654->1660 1661 7ffd9b6ec420-7ffd9b6ec437 1654->1661 1659 7ffd9b6ec51b-7ffd9b6ec520 1655->1659 1656->1659 1666 7ffd9b6ec5ac-7ffd9b6ec5c0 1659->1666 1667 7ffd9b6ec526-7ffd9b6ec548 call 7ffd9b6e7c18 1659->1667 1660->1650 1665 7ffd9b6ec3cc-7ffd9b6ec410 call 7ffd9b6e7c18 1660->1665 1679 7ffd9b6ec439-7ffd9b6ec45f call 7ffd9b6e7c18 1661->1679 1680 7ffd9b6ec466-7ffd9b6ec471 call 7ffd9b6e82a8 1661->1680 1706 7ffd9b6ec9a7-7ffd9b6ec9b7 1662->1706 1686 7ffd9b6ec9de-7ffd9b6ec9f1 1663->1686 1665->1654 1670 7ffd9b6ec5c2-7ffd9b6ec5c8 1666->1670 1671 7ffd9b6ec610-7ffd9b6ec61f 1666->1671 1702 7ffd9b6ec54a-7ffd9b6ec574 1667->1702 1703 7ffd9b6ec576-7ffd9b6ec577 1667->1703 1668->1643 1676 7ffd9b6ec5ca-7ffd9b6ec5e5 1670->1676 1677 7ffd9b6ec5e7-7ffd9b6ec5ff 1670->1677 1690 7ffd9b6ec62c 1671->1690 1691 7ffd9b6ec621-7ffd9b6ec62a 1671->1691 1676->1677 1695 7ffd9b6ec608-7ffd9b6ec60b 1677->1695 1679->1680 1680->1666 1711 7ffd9b6ec9fc-7ffd9b6ec9ff 1686->1711 1712 7ffd9b6ec9f3-7ffd9b6ec9fb 1686->1712 1699 7ffd9b6ec62e-7ffd9b6ec633 1690->1699 1691->1699 1704 7ffd9b6ec7b8-7ffd9b6ec7cd 1695->1704 1708 7ffd9b6ec639-7ffd9b6ec63c 1699->1708 1709 7ffd9b6ec93f-7ffd9b6ec940 1699->1709 1707 7ffd9b6ec579-7ffd9b6ec580 1702->1707 1703->1707 1721 7ffd9b6ec7cf-7ffd9b6ec80b 1704->1721 1722 7ffd9b6ec80d 1704->1722 1715 7ffd9b6ec9b9-7ffd9b6ec9c2 1706->1715 1716 7ffd9b6eca01-7ffd9b6eca0b 1706->1716 1707->1666 1717 7ffd9b6ec582-7ffd9b6ec5a7 call 7ffd9b6e7c40 1707->1717 1718 7ffd9b6ec684 1708->1718 1719 7ffd9b6ec63e-7ffd9b6ec65b call 7ffd9b6e0198 1708->1719 1714 7ffd9b6ec943-7ffd9b6ec94a 1709->1714 1711->1716 1712->1711 1714->1706 1732 7ffd9b6ec94c-7ffd9b6ec952 1714->1732 1715->1663 1728 7ffd9b6eca16-7ffd9b6eca27 1716->1728 1729 7ffd9b6eca0d-7ffd9b6eca15 1716->1729 1747 7ffd9b6ec92e-7ffd9b6ec93e 1717->1747 1724 7ffd9b6ec686-7ffd9b6ec68b 1718->1724 1719->1718 1762 7ffd9b6ec65d-7ffd9b6ec682 1719->1762 1726 7ffd9b6ec80f-7ffd9b6ec814 1721->1726 1722->1726 1733 7ffd9b6ec78c-7ffd9b6ec7af 1724->1733 1734 7ffd9b6ec691-7ffd9b6ec69d 1724->1734 1736 7ffd9b6ec816-7ffd9b6ec86d call 7ffd9b6e3450 1726->1736 1737 7ffd9b6ec884-7ffd9b6ec898 1726->1737 1739 7ffd9b6eca29-7ffd9b6eca31 1728->1739 1740 7ffd9b6eca32-7ffd9b6eca7f call 7ffd9b6e9f90 1728->1740 1729->1728 1745 7ffd9b6ec953-7ffd9b6ec95b 1732->1745 1755 7ffd9b6ec7b5-7ffd9b6ec7b6 1733->1755 1734->1650 1746 7ffd9b6ec6a3-7ffd9b6ec6b2 1734->1746 1789 7ffd9b6ec86f-7ffd9b6ec873 1736->1789 1790 7ffd9b6ec8de-7ffd9b6ec8e3 1736->1790 1741 7ffd9b6ec89a-7ffd9b6ec8c5 call 7ffd9b6e3450 1737->1741 1742 7ffd9b6ec8e7-7ffd9b6ec8f3 call 7ffd9b6e6450 1737->1742 1739->1740 1774 7ffd9b6eca91 1740->1774 1775 7ffd9b6eca81-7ffd9b6eca8f 1740->1775 1767 7ffd9b6ec8ca-7ffd9b6ec8d2 1741->1767 1761 7ffd9b6ec8f4-7ffd9b6ec90c 1742->1761 1745->1650 1751 7ffd9b6ec6c5-7ffd9b6ec6d2 call 7ffd9b6e0198 1746->1751 1752 7ffd9b6ec6b4-7ffd9b6ec6c3 1746->1752 1769 7ffd9b6ec6d8-7ffd9b6ec6de 1751->1769 1752->1769 1755->1704 1761->1650 1766 7ffd9b6ec90e-7ffd9b6ec91e 1761->1766 1762->1724 1771 7ffd9b6ec920-7ffd9b6ec92b 1766->1771 1767->1714 1773 7ffd9b6ec8d4-7ffd9b6ec8d7 1767->1773 1776 7ffd9b6ec713-7ffd9b6ec718 1769->1776 1777 7ffd9b6ec6e0-7ffd9b6ec70d 1769->1777 1771->1747 1773->1745 1781 7ffd9b6ec8d9 1773->1781 1780 7ffd9b6eca93-7ffd9b6eca98 1774->1780 1775->1780 1776->1650 1779 7ffd9b6ec71e-7ffd9b6ec73e 1776->1779 1777->1776 1791 7ffd9b6ec752-7ffd9b6ec782 call 7ffd9b6e84b0 1779->1791 1792 7ffd9b6ec740-7ffd9b6ec751 1779->1792 1787 7ffd9b6eca9a-7ffd9b6ecaad call 7ffd9b6e2440 1780->1787 1788 7ffd9b6ecaaf-7ffd9b6ecab5 1780->1788 1781->1771 1786 7ffd9b6ec8db 1781->1786 1786->1790 1793 7ffd9b6ecabc-7ffd9b6ecac3 1787->1793 1788->1793 1794 7ffd9b6ecab7 call 7ffd9b6e3468 1788->1794 1789->1761 1797 7ffd9b6ec875-7ffd9b6ec87f 1789->1797 1790->1742 1802 7ffd9b6ec787-7ffd9b6ec78a 1791->1802 1792->1791 1794->1793 1797->1737 1802->1704
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994631451.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b6e0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f7ed9560ca496646c7fd81f605f3b8be4476e9318e1371816705fc9bd77e7f4
                                            • Instruction ID: 1c32c7572f305a72356fa04bc739e5326079fb7e95cd9f1bffb002d748ef22fe
                                            • Opcode Fuzzy Hash: 3f7ed9560ca496646c7fd81f605f3b8be4476e9318e1371816705fc9bd77e7f4
                                            • Instruction Fuzzy Hash: F252E430B09A0D8FDB68DB6C9465A7977E1FF59300F1501BEE05ECB2A2DE24BD528781
                                            Function 00007FFD9B6E7D00 Relevance: .6, Instructions: 644COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2337 7ffd9b6e7d00-7ffd9b6f2aea 2339 7ffd9b6f2aec-7ffd9b6f2b03 2337->2339 2340 7ffd9b6f2b34-7ffd9b6f2bd0 2337->2340 2341 7ffd9b6f2b08-7ffd9b6f2b0d 2339->2341 2352 7ffd9b6f2c41-7ffd9b6f2c49 2340->2352 2353 7ffd9b6f2bd2-7ffd9b6f2bd4 2340->2353 2344 7ffd9b6f2b0f-7ffd9b6f2b32 2341->2344 2344->2340 2354 7ffd9b6f2c4d-7ffd9b6f2c4e 2352->2354 2355 7ffd9b6f2bd6 2353->2355 2356 7ffd9b6f2c50-7ffd9b6f2c5b 2353->2356 2354->2356 2357 7ffd9b6f2c1c-7ffd9b6f2c1f 2355->2357 2358 7ffd9b6f2bd8-7ffd9b6f2bdc 2355->2358 2364 7ffd9b6f2c5d-7ffd9b6f2c65 2356->2364 2361 7ffd9b6f2c9b-7ffd9b6f2ca7 2357->2361 2362 7ffd9b6f2c21 2357->2362 2358->2354 2360 7ffd9b6f2bde-7ffd9b6f2be1 2358->2360 2360->2364 2365 7ffd9b6f2be3 2360->2365 2363 7ffd9b6f2ca8-7ffd9b6f2cb6 2361->2363 2366 7ffd9b6f2c67-7ffd9b6f2c6d 2362->2366 2367 7ffd9b6f2c23-7ffd9b6f2c27 2362->2367 2377 7ffd9b6f2cb9-7ffd9b6f2cc2 2363->2377 2364->2366 2368 7ffd9b6f2c29-7ffd9b6f2c2c 2365->2368 2369 7ffd9b6f2be5-7ffd9b6f2c1b 2365->2369 2370 7ffd9b6f2c6f-7ffd9b6f2c73 2366->2370 2371 7ffd9b6f2cde-7ffd9b6f2ce7 2366->2371 2367->2368 2372 7ffd9b6f2c98-7ffd9b6f2c99 2367->2372 2368->2363 2375 7ffd9b6f2c2e 2368->2375 2369->2357 2384 7ffd9b6f2c8c-7ffd9b6f2c96 2369->2384 2370->2377 2379 7ffd9b6f2c74-7ffd9b6f2c79 2370->2379 2376 7ffd9b6f2cea-7ffd9b6f2cf8 2371->2376 2372->2361 2375->2379 2380 7ffd9b6f2c30-7ffd9b6f2c3f 2375->2380 2386 7ffd9b6f2cfa-7ffd9b6f2d0a 2376->2386 2382 7ffd9b6f2cc3 2377->2382 2383 7ffd9b6f2d3e 2377->2383 2379->2376 2385 7ffd9b6f2c7b-7ffd9b6f2c7e 2379->2385 2380->2352 2387 7ffd9b6f2d34-7ffd9b6f2d3d 2382->2387 2388 7ffd9b6f2cc4-7ffd9b6f2cc5 2382->2388 2391 7ffd9b6f2d40-7ffd9b6f2d42 2383->2391 2384->2372 2385->2386 2389 7ffd9b6f2c80 2385->2389 2393 7ffd9b6f2d7b-7ffd9b6f2d84 2386->2393 2394 7ffd9b6f2d0c-7ffd9b6f2d0e 2386->2394 2387->2383 2395 7ffd9b6f2cc6-7ffd9b6f2cc7 2388->2395 2389->2395 2396 7ffd9b6f2c82-7ffd9b6f2c89 2389->2396 2392 7ffd9b6f2d43-7ffd9b6f2d48 2391->2392 2397 7ffd9b6f2d49-7ffd9b6f2d4e 2392->2397 2413 7ffd9b6f2d87-7ffd9b6f2d89 2393->2413 2398 7ffd9b6f2d8a-7ffd9b6f2d8f 2394->2398 2399 7ffd9b6f2d0f 2394->2399 2395->2392 2400 7ffd9b6f2cc8 2395->2400 2396->2384 2402 7ffd9b6f2dca-7ffd9b6f2dcb 2397->2402 2403 7ffd9b6f2d4f 2397->2403 2404 7ffd9b6f2d90-7ffd9b6f2d95 2398->2404 2399->2404 2405 7ffd9b6f2d10 2399->2405 2400->2397 2406 7ffd9b6f2cc9 2400->2406 2412 7ffd9b6f2dcc-7ffd9b6f2dce 2402->2412 2408 7ffd9b6f2d50-7ffd9b6f2d53 2403->2408 2414 7ffd9b6f2d96 2404->2414 2415 7ffd9b6f2e11 2404->2415 2409 7ffd9b6f2d56-7ffd9b6f2d5b 2405->2409 2410 7ffd9b6f2d11-7ffd9b6f2d16 2405->2410 2406->2399 2411 7ffd9b6f2cca-7ffd9b6f2ccf 2406->2411 2418 7ffd9b6f2d55 2408->2418 2419 7ffd9b6f2dcf-7ffd9b6f2dd4 2408->2419 2409->2412 2420 7ffd9b6f2d5d-7ffd9b6f2d60 2409->2420 2410->2413 2421 7ffd9b6f2d18-7ffd9b6f2d1b 2410->2421 2411->2391 2422 7ffd9b6f2cd1-7ffd9b6f2cd4 2411->2422 2412->2419 2413->2398 2416 7ffd9b6f2e07-7ffd9b6f2e10 2414->2416 2417 7ffd9b6f2d97-7ffd9b6f2d9a 2414->2417 2423 7ffd9b6f2e12 2415->2423 2416->2415 2424 7ffd9b6f2d9b 2417->2424 2425 7ffd9b6f2e16 2417->2425 2418->2409 2418->2424 2430 7ffd9b6f2dd5-7ffd9b6f2ddb 2419->2430 2426 7ffd9b6f2ddc 2420->2426 2427 7ffd9b6f2d62 2420->2427 2421->2417 2428 7ffd9b6f2d1c 2421->2428 2422->2408 2429 7ffd9b6f2cd6 2422->2429 2431 7ffd9b6f2e13 2423->2431 2434 7ffd9b6f2e1c-7ffd9b6f2e22 2424->2434 2435 7ffd9b6f2d9c 2424->2435 2432 7ffd9b6f2e17 2425->2432 2433 7ffd9b6f2e18-7ffd9b6f2e1a 2425->2433 2444 7ffd9b6f2e58 2426->2444 2445 7ffd9b6f2ddd 2426->2445 2436 7ffd9b6f2da8 2427->2436 2437 7ffd9b6f2d63-7ffd9b6f2d7a 2427->2437 2438 7ffd9b6f2d9d-7ffd9b6f2da2 2428->2438 2439 7ffd9b6f2d1d 2428->2439 2429->2428 2441 7ffd9b6f2cd8-7ffd9b6f2cdb 2429->2441 2430->2426 2442 7ffd9b6f2e15 2431->2442 2443 7ffd9b6f2db0-7ffd9b6f2dc5 2431->2443 2432->2433 2433->2423 2433->2434 2448 7ffd9b6f2e23 2434->2448 2435->2438 2446 7ffd9b6f2de2 2435->2446 2449 7ffd9b6f2e29-7ffd9b6f2e32 2436->2449 2450 7ffd9b6f2da9 2436->2450 2437->2393 2438->2431 2447 7ffd9b6f2da4-7ffd9b6f2da7 2438->2447 2439->2437 2451 7ffd9b6f2d1e-7ffd9b6f2d33 2439->2451 2441->2371 2442->2425 2443->2402 2454 7ffd9b6f2e5a 2444->2454 2452 7ffd9b6f2e4e-7ffd9b6f2e56 2445->2452 2453 7ffd9b6f2dde-7ffd9b6f2de1 2445->2453 2456 7ffd9b6f2e63-7ffd9b6f2e67 2446->2456 2457 7ffd9b6f2de3 2446->2457 2447->2436 2447->2448 2448->2449 2461 7ffd9b6f2e4b-7ffd9b6f2e4c 2449->2461 2462 7ffd9b6f2e34-7ffd9b6f2e35 2449->2462 2459 7ffd9b6f2daa-7ffd9b6f2dae 2450->2459 2460 7ffd9b6f2def-7ffd9b6f2df0 2450->2460 2451->2387 2453->2446 2455 7ffd9b6f2e5d-7ffd9b6f2e62 2453->2455 2454->2455 2455->2456 2468 7ffd9b6f2e6a-7ffd9b6f2e7a 2456->2468 2457->2449 2464 7ffd9b6f2de4-7ffd9b6f2de9 2457->2464 2459->2443 2463 7ffd9b6f2e36-7ffd9b6f2e38 2460->2463 2469 7ffd9b6f2df1-7ffd9b6f2e06 2460->2469 2461->2452 2462->2463 2463->2430 2470 7ffd9b6f2e3a-7ffd9b6f2e41 2463->2470 2464->2454 2467 7ffd9b6f2deb-7ffd9b6f2dee 2464->2467 2467->2460 2467->2468 2468->2432 2472 7ffd9b6f2e7c-7ffd9b6f2efc call 7ffd9b6e0288 call 7ffd9b6e59e0 2468->2472 2469->2416 2470->2461 2474 7ffd9b6f2e43-7ffd9b6f2e49 2470->2474 2485 7ffd9b6f2f01-7ffd9b6f2f2a 2472->2485 2474->2461 2486 7ffd9b6f2fd3-7ffd9b6f3024 call 7ffd9b6e03c8 call 7ffd9b6e5a08 2485->2486 2487 7ffd9b6f2f30-7ffd9b6f2fb4 call 7ffd9b6e5a10 2485->2487 2499 7ffd9b6f3029-7ffd9b6f303c 2486->2499 2493 7ffd9b6f2fb9-7ffd9b6f2fce 2487->2493 2493->2485
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994631451.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b6e0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6a89d12f9afa17c782468767b98f364cf6631f16cb8a0745186f2210b4290628
                                            • Instruction ID: d24e71f3ac7baffcc311f82aa2acbe4418084e26ae7eaf8c1eece8da5b20c94b
                                            • Opcode Fuzzy Hash: 6a89d12f9afa17c782468767b98f364cf6631f16cb8a0745186f2210b4290628
                                            • Instruction Fuzzy Hash: 2D125931B1E94E0FF7BCD69C98261B47BD2EF94310B9502B9F06DCB2A2DD1879064B81
                                            Function 00007FFD9B6EAA29 Relevance: .5, Instructions: 505COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2654 7ffd9b6eaa29-7ffd9b6eaa49 2656 7ffd9b6eaa4b-7ffd9b6eaa74 2654->2656 2657 7ffd9b6eaa93-7ffd9b6eaaaa call 7ffd9b6e6450 call 7ffd9b6e6bb0 2654->2657 2658 7ffd9b6eab3a 2656->2658 2659 7ffd9b6eaa7a-7ffd9b6eaa91 2656->2659 2657->2658 2667 7ffd9b6eaab0-7ffd9b6eaabe 2657->2667 2663 7ffd9b6eab3e-7ffd9b6eab4b 2658->2663 2659->2657 2665 7ffd9b6eab8d-7ffd9b6eab8f 2663->2665 2666 7ffd9b6eab4d-7ffd9b6eab59 2663->2666 2670 7ffd9b6eab76-7ffd9b6eab8c 2665->2670 2671 7ffd9b6eab91-7ffd9b6eab99 2665->2671 2668 7ffd9b6eab5b-7ffd9b6eab5d 2666->2668 2669 7ffd9b6eabd5-7ffd9b6eabf3 call 7ffd9b6e6450 2666->2669 2672 7ffd9b6eab2f-7ffd9b6eab39 2667->2672 2673 7ffd9b6eaac0-7ffd9b6eaac2 2667->2673 2675 7ffd9b6eab5f-7ffd9b6eab6c 2668->2675 2681 7ffd9b6eadcc-7ffd9b6eaddf 2669->2681 2686 7ffd9b6eabf9-7ffd9b6eac14 2669->2686 2670->2665 2671->2681 2682 7ffd9b6eab9f-7ffd9b6eabb5 2671->2682 2673->2663 2677 7ffd9b6eaac4 2673->2677 2679 7ffd9b6eabb6-7ffd9b6eabd4 call 7ffd9b6e9f90 * 2 2675->2679 2680 7ffd9b6eab6e-7ffd9b6eab75 2675->2680 2684 7ffd9b6eab0a-7ffd9b6eab18 2677->2684 2685 7ffd9b6eaac6-7ffd9b6eaacf 2677->2685 2679->2669 2680->2670 2700 7ffd9b6eae21-7ffd9b6eae2c 2681->2700 2701 7ffd9b6eade1-7ffd9b6eade9 2681->2701 2682->2679 2684->2658 2687 7ffd9b6eab1a-7ffd9b6eab26 2684->2687 2689 7ffd9b6eab28-7ffd9b6eab2e 2685->2689 2690 7ffd9b6eaad1-7ffd9b6eaaee 2685->2690 2691 7ffd9b6eac16-7ffd9b6eac19 2686->2691 2692 7ffd9b6eac6d-7ffd9b6eac77 2686->2692 2687->2689 2689->2672 2690->2675 2705 7ffd9b6eaaf0-7ffd9b6eaaf5 2690->2705 2697 7ffd9b6eac1b-7ffd9b6eac3b 2691->2697 2698 7ffd9b6eac9a-7ffd9b6eacd4 2691->2698 2693 7ffd9b6eacef-7ffd9b6eacf7 2692->2693 2703 7ffd9b6eacf9-7ffd9b6eacfe 2693->2703 2704 7ffd9b6ead68-7ffd9b6ead7b 2693->2704 2715 7ffd9b6eac79-7ffd9b6eac8f 2697->2715 2716 7ffd9b6eac3d-7ffd9b6eac6c 2697->2716 2698->2693 2712 7ffd9b6eae3d-7ffd9b6eae5c 2700->2712 2713 7ffd9b6eae2e-7ffd9b6eae3a 2700->2713 2708 7ffd9b6eadeb-7ffd9b6eae0b 2701->2708 2709 7ffd9b6eae65-7ffd9b6eae6b 2701->2709 2707 7ffd9b6ead7f-7ffd9b6ead8b call 7ffd9b6e3308 2703->2707 2711 7ffd9b6ead00-7ffd9b6ead44 call 7ffd9b6e67f0 2703->2711 2704->2707 2705->2670 2714 7ffd9b6eaaf7-7ffd9b6eab09 call 7ffd9b6e67f0 2705->2714 2728 7ffd9b6ead90-7ffd9b6eada0 2707->2728 2729 7ffd9b6eae19-7ffd9b6eae1f 2708->2729 2730 7ffd9b6eae0d-7ffd9b6eae16 2708->2730 2719 7ffd9b6eae6d-7ffd9b6eae86 2709->2719 2711->2681 2732 7ffd9b6ead4a-7ffd9b6ead67 2711->2732 2712->2719 2720 7ffd9b6eae5e-7ffd9b6eae5f 2712->2720 2713->2712 2714->2684 2715->2698 2716->2692 2726 7ffd9b6eae88-7ffd9b6eae93 2719->2726 2727 7ffd9b6eae96-7ffd9b6eaeab 2719->2727 2720->2709 2726->2727 2728->2681 2734 7ffd9b6eada2-7ffd9b6eadcb 2728->2734 2729->2700 2730->2729 2732->2704
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994631451.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b6e0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 454be593c43823cdad02f1f9e02608803849e14072b9faf9cb7fd492c105ecf7
                                            • Instruction ID: 7c1ab5b07268c338776c31bf9fafa48a56e5a20726c517f77203e58bac17fc8e
                                            • Opcode Fuzzy Hash: 454be593c43823cdad02f1f9e02608803849e14072b9faf9cb7fd492c105ecf7
                                            • Instruction Fuzzy Hash: C4F17A31A0EB8E4FE329CB6484A50B177E2FF95301B0546BED4DBCB2A1DE24B556C781
                                            Function 00007FFD9B6F3ACC Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994631451.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b6e0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6380020e1df53d5f50cced42b4c2b7b34b487b4fbaddab3e64f488f6900b3022
                                            • Instruction ID: cf7ca3b322850e2f4a55b388333d9f9d9f483beb4dba336fd9d19d7634fe23f3
                                            • Opcode Fuzzy Hash: 6380020e1df53d5f50cced42b4c2b7b34b487b4fbaddab3e64f488f6900b3022
                                            • Instruction Fuzzy Hash: FF513B3170D64D0FD72E9B6C88661B57BD1EB92320B1682BFD49ACB1E7DC24A9078781
                                            Function 00007FFD9B6E1FEA Relevance: 1.6, APIs: 1, Instructions: 143memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1111 7ffd9b6e1fea-7ffd9b6e1ff7 1112 7ffd9b6e1ff9-7ffd9b6e2001 1111->1112 1113 7ffd9b6e2002-7ffd9b6e2013 1111->1113 1112->1113 1114 7ffd9b6e2015-7ffd9b6e201d 1113->1114 1115 7ffd9b6e201e-7ffd9b6e20d9 VirtualProtect 1113->1115 1114->1115 1120 7ffd9b6e20db 1115->1120 1121 7ffd9b6e20e1-7ffd9b6e2112 1115->1121 1120->1121
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994631451.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b6e0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 2070c5f4ab075806df002fcb4f9f7852fd3ce98b6783c2558b51cf68ef8eeabf
                                            • Instruction ID: d587d7dba199e2a7ed4614a0f50d274ea4fb04bddb18336dfd6bda0c95bf4158
                                            • Opcode Fuzzy Hash: 2070c5f4ab075806df002fcb4f9f7852fd3ce98b6783c2558b51cf68ef8eeabf
                                            • Instruction Fuzzy Hash: B741583190C7884FDB199BA89C166E97BE1EF56320F0442AFD099C31D3DA786806C792
                                            Function 00007FFD9B6E08B9 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1123 7ffd9b6e08b9-7ffd9b6e094c FreeConsole 1127 7ffd9b6e0954-7ffd9b6e097b 1123->1127 1128 7ffd9b6e094e 1123->1128 1128->1127
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994631451.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b6e0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID: ConsoleFree
                                            • String ID:
                                            • API String ID: 771614528-0
                                            • Opcode ID: 75814cf14476c710b014844ad4a8f6ee019d9a234deba60dc1a1f8e56a94216d
                                            • Instruction ID: 45cdd6046fc105e24a3410d1bcd8ba204b945dae230712ea3d56b6ae322db26a
                                            • Opcode Fuzzy Hash: 75814cf14476c710b014844ad4a8f6ee019d9a234deba60dc1a1f8e56a94216d
                                            • Instruction Fuzzy Hash: 4221D27090CB4C8FDB29DF59C845AF97BF0EB56320F00426FD099C31A2DA256849CB51
                                            Function 00007FFD9B7B10C9 Relevance: .3, Instructions: 288COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994941216.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b7b0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e66ce214ccc8d3354f74c4e929c6a672156348bced931d178c04231804c9c14f
                                            • Instruction ID: 09c48e948d74558f21d063b48162ee79b8a80c34005848466dc497a808e7ceba
                                            • Opcode Fuzzy Hash: e66ce214ccc8d3354f74c4e929c6a672156348bced931d178c04231804c9c14f
                                            • Instruction Fuzzy Hash: 00814A31A1EB9D4FEB65DB6888665A47BE0FF55300F0602BAD049C75F7DE186D01CB81
                                            Function 00007FFD9B7B1210 Relevance: .1, Instructions: 117COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994941216.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b7b0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d4e4e36d1a12cea9e93ffc04afcef1dd9584e33b7481d43015f358a2ac28be1
                                            • Instruction ID: 1d3e5cfc82b82bc6c599b67fa2483e45befc855752412f7551d904e1fdbc88dd
                                            • Opcode Fuzzy Hash: 0d4e4e36d1a12cea9e93ffc04afcef1dd9584e33b7481d43015f358a2ac28be1
                                            • Instruction Fuzzy Hash: A3310632A09A4D8BEF64DF58C8A55B877E1FF54300B16027AD01AD79A5EE21BD01CB80
                                            Function 00007FFD9B7B0A04 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1994941216.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b7b0000_techno POORD035338.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5267679053824a5964b6eb983a650dc108de18700e4a6d6397ec0174ed853680
                                            • Instruction ID: 537a9ddddb60899be5c4d3473ab64c059c7d4e211cc2824474488c45fdff2b3d
                                            • Opcode Fuzzy Hash: 5267679053824a5964b6eb983a650dc108de18700e4a6d6397ec0174ed853680
                                            • Instruction Fuzzy Hash: 00E0EE31A0562D8ADF60EA48D881BEAB3B1EB98200F0041E6D55DA7291CA306A848F82

                                            Execution Graph

                                            Execution Coverage:11.6%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:4
                                            Total number of Limit Nodes:1
                                            execution_graph 28369 644e280 28370 644e286 GlobalMemoryStatusEx 28369->28370 28373 644e24d 28369->28373 28372 644e2fe 28370->28372

                                            Executed Functions

                                            Function 053C9B38 Relevance: 3.1, Instructions: 3061COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa8ddd9412fb805b768e73f5211f8341287b8d6206c3da0e7820819051ba68db
                                            • Instruction ID: 40b91bfcc651aa8c1edb71c9a3cac2c996382e7610c65b35f08c7b5a8ea5861f
                                            • Opcode Fuzzy Hash: aa8ddd9412fb805b768e73f5211f8341287b8d6206c3da0e7820819051ba68db
                                            • Instruction Fuzzy Hash: 7F631C31D10B198ACB11EF68C8845ADF7B1FF99300F15D79AE459B7221EB70AAD4CB81
                                            Function 053CCDB0 Relevance: 2.3, Instructions: 2309COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 35b01ed11a9e8e4ae9ecda95ac38174a73757bee71f26521887f2c08d03ddeb7
                                            • Instruction ID: c8724ad1e5729b8c3fd315f68548e1580d48628a4279cdbed87cc06fa1e4c290
                                            • Opcode Fuzzy Hash: 35b01ed11a9e8e4ae9ecda95ac38174a73757bee71f26521887f2c08d03ddeb7
                                            • Instruction Fuzzy Hash: 98332E31D107198ECB11EF68C884AADF7B1FF99300F15D79AE459A7211EB70AAC5CB81
                                            Function 053C9378 Relevance: .6, Instructions: 618COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f5e339a23ee616fa834d1d4403fbaaefee80c77b93d061fa91c32b4e9d516b7c
                                            • Instruction ID: c38c9e38602c4c186abd27c03fa7bdda9e28d46b8f0b6fd232100485fda90469
                                            • Opcode Fuzzy Hash: f5e339a23ee616fa834d1d4403fbaaefee80c77b93d061fa91c32b4e9d516b7c
                                            • Instruction Fuzzy Hash: 0E328E35A002059FDB14DFA8D984BAEBBB6FF88310F1185A9E50ADB395DB71EC41CB50
                                            Function 053C4A98 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 49a225522b84b5d128a4f4eb8d3d9f782ba638b29415b00e542157a120af1f12
                                            • Instruction ID: 76aa83df87442cb830bbb83eb1e3cfcc382b70b74ca108e2181348c36140548f
                                            • Opcode Fuzzy Hash: 49a225522b84b5d128a4f4eb8d3d9f782ba638b29415b00e542157a120af1f12
                                            • Instruction Fuzzy Hash: ABB18B70E002099FDF10DFA8C8A57ADBFF2BF88315F14816DD859A7254EB759885CB81
                                            Function 053C3E80 Relevance: .2, Instructions: 238COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ebe5e9e18035c21e76480ea95f15f24b0f603a615e334367245692e1aaa80c03
                                            • Instruction ID: 73a6a1ff9b0997a3adeb09f26137886341227ea0d289f55b712f9d49b5924637
                                            • Opcode Fuzzy Hash: ebe5e9e18035c21e76480ea95f15f24b0f603a615e334367245692e1aaa80c03
                                            • Instruction Fuzzy Hash: F0917870E002099FDF14CFA8D9957AEBFF2BF88304F14856DE409A7254EB749886CB91
                                            Function 053C6ED8 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2391 53c6ed8-53c6f42 call 53c6c40 2400 53c6f5e-53c6f8c 2391->2400 2401 53c6f44-53c6f5d call 53c638c 2391->2401 2407 53c6f8e-53c6f91 2400->2407 2408 53c6fcd-53c6fd0 2407->2408 2409 53c6f93-53c6fc8 2407->2409 2410 53c6fe0-53c6fe3 2408->2410 2411 53c6fd2 2408->2411 2409->2408 2412 53c6fe5-53c6ff9 2410->2412 2413 53c7016-53c7019 2410->2413 2434 53c6fd2 call 53c7918 2411->2434 2435 53c6fd2 call 53c7908 2411->2435 2436 53c6fd2 call 53c80f1 2411->2436 2423 53c6fff 2412->2423 2424 53c6ffb-53c6ffd 2412->2424 2414 53c702d-53c702f 2413->2414 2415 53c701b-53c7022 2413->2415 2419 53c7036-53c7039 2414->2419 2420 53c7031 2414->2420 2417 53c7028 2415->2417 2418 53c70eb-53c70f1 2415->2418 2416 53c6fd8-53c6fdb 2416->2410 2417->2414 2419->2407 2422 53c703f-53c704e 2419->2422 2420->2419 2428 53c7078-53c708d 2422->2428 2429 53c7050-53c7053 2422->2429 2425 53c7002-53c7011 2423->2425 2424->2425 2425->2413 2428->2418 2431 53c705b-53c7076 2429->2431 2431->2428 2431->2429 2434->2416 2435->2416 2436->2416
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR^q$LR^q
                                            • API String ID: 0-4089051495
                                            • Opcode ID: 56b039fc9643153871a4e34b2e92803ae1a7a1845373d24e65e3db363f37c4b4
                                            • Instruction ID: f13157172355f0ffc59b914f4ed71a912c6fd6755c44cd156ea1fe698bb9e2fa
                                            • Opcode Fuzzy Hash: 56b039fc9643153871a4e34b2e92803ae1a7a1845373d24e65e3db363f37c4b4
                                            • Instruction Fuzzy Hash: C341D030E102159FDB15DF68C455BAEBBB6FF89300F10846EE806EB290DB759C468B91
                                            Function 0644E280 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3053 644e280-644e284 3054 644e286-644e2fc GlobalMemoryStatusEx 3053->3054 3055 644e24d-644e26e 3053->3055 3058 644e305-644e32d 3054->3058 3059 644e2fe-644e304 3054->3059 3059->3058
                                            APIs
                                            • GlobalMemoryStatusEx.KERNEL32(00000000), ref: 0644E2EF
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3039726761.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6440000_RegAsm.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: ad93776f6c6656e70bcdf36af4e4b8501c83ac2440afdf79cf72c4226e5cde39
                                            • Instruction ID: d6cee36b351881ff2d6fae2f36495e3463359f7f6bf5a642eaaecfd3086e3bba
                                            • Opcode Fuzzy Hash: ad93776f6c6656e70bcdf36af4e4b8501c83ac2440afdf79cf72c4226e5cde39
                                            • Instruction Fuzzy Hash: 882187B5C0021A8BDB10DFA9C5457DEBBF0FF08320F24852AD858B7240D7389841CFA1
                                            Function 0644D5AC Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3064 644d5ac-644e2c6 3066 644e2ce-644e2fc GlobalMemoryStatusEx 3064->3066 3067 644e305-644e32d 3066->3067 3068 644e2fe-644e304 3066->3068 3068->3067
                                            APIs
                                            • GlobalMemoryStatusEx.KERNEL32(00000000), ref: 0644E2EF
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3039726761.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_6440000_RegAsm.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 55e2b4539099cbae97832c3985455ee613f3c6abef926b348d57ab247119b0de
                                            • Instruction ID: 5d712d03bdd86dec128fa6d5db5b80109fd6d9b93c598abf75e5bfaac1e75862
                                            • Opcode Fuzzy Hash: 55e2b4539099cbae97832c3985455ee613f3c6abef926b348d57ab247119b0de
                                            • Instruction Fuzzy Hash: 451133B1C0066A9BDB10DF9AC544BDEFBB4FB08320F10812AE818B7200D778A940CFA5
                                            Function 053CF2ED Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q
                                            • API String ID: 0-2549759414
                                            • Opcode ID: 15cc8dbd371dba8c835fa70ac3a785548f7914bfef40ebe31b8c5a44f6e42aca
                                            • Instruction ID: 127807ff00c694efe02f0f3f1f38fcba48b99c20b9f96ef77aac7dfcb366bb79
                                            • Opcode Fuzzy Hash: 15cc8dbd371dba8c835fa70ac3a785548f7914bfef40ebe31b8c5a44f6e42aca
                                            • Instruction Fuzzy Hash: E231EF31B002059FCB19AB74D5546AE7BA7BF89200F2484ADE406DB385EF79DC46CBA1
                                            Function 053CF300 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH^q
                                            • API String ID: 0-2549759414
                                            • Opcode ID: 2af0ee31a0015ef6d0147efc3e87ae47bd89199d308b582ef805c808e7a82474
                                            • Instruction ID: 30c47b1ee35a43b98421bd42edb270db6b3809624ca705790c6cc349a85ab900
                                            • Opcode Fuzzy Hash: 2af0ee31a0015ef6d0147efc3e87ae47bd89199d308b582ef805c808e7a82474
                                            • Instruction Fuzzy Hash: 6331DE30B002059FCB19AB74D56466E7BA7BFC9200F2084ACD406DB389EF79DC46CBA1
                                            Function 053C6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR^q
                                            • API String ID: 0-2625958711
                                            • Opcode ID: b97ddd2e45dbff533c0673bfff6ff9d9b8d936347313c5a3a29c1c7336d5e7ba
                                            • Instruction ID: 73a1f0e8d6f8622068f6d1e7fe39e6d560695c9c8c2a96fe4264be24afca2748
                                            • Opcode Fuzzy Hash: b97ddd2e45dbff533c0673bfff6ff9d9b8d936347313c5a3a29c1c7336d5e7ba
                                            • Instruction Fuzzy Hash: 2731A631E102199BDF14CFA9C441BAEBBB6FF49340F10856DE805EB240DBB19C46CB51
                                            Function 053C6B87 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR^q
                                            • API String ID: 0-2625958711
                                            • Opcode ID: 3347d8a346a72c3865dc9d35a8ad0b5f72a2b8735de0ae2435022b72313a2f37
                                            • Instruction ID: f1feeb06abf0cf2a48c0e1ca68d5b7fb5319813d7d5dc4686107af4c0ac99158
                                            • Opcode Fuzzy Hash: 3347d8a346a72c3865dc9d35a8ad0b5f72a2b8735de0ae2435022b72313a2f37
                                            • Instruction Fuzzy Hash: 0E1129727042415FD305ABB8C49A3DD7FB1EB8A604F14846FC08ACB751DE7898478792
                                            Function 053C7908 Relevance: .6, Instructions: 553COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f7354018f1cb4d57f5bd9a752599131c6c4b999022ddefc36502b61e6a73e2bb
                                            • Instruction ID: b5e297591314344a83174cbe649dd2d0f8a014371998bcfa029ba2e2e1214315
                                            • Opcode Fuzzy Hash: f7354018f1cb4d57f5bd9a752599131c6c4b999022ddefc36502b61e6a73e2bb
                                            • Instruction Fuzzy Hash: B4122A30700112CFCB15BA78E594A2CBBA7FB89244B508A7DE506CB355CFB9EC468F95
                                            Function 053C7918 Relevance: .6, Instructions: 550COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db99b4303291e5f30db6125bca39d60bbd18f0bf9734631c72504bff4e6ecbbd
                                            • Instruction ID: 4ee201ecd4b43c57a24ae85d6186f56760ba735f6a45dceed64bc33d79220c4b
                                            • Opcode Fuzzy Hash: db99b4303291e5f30db6125bca39d60bbd18f0bf9734631c72504bff4e6ecbbd
                                            • Instruction Fuzzy Hash: 1F122A30700112CFCB15BA78E594A2CBBA7FB89244B508A7DE506CB355CFB9EC468F95
                                            Function 053C4A8C Relevance: .3, Instructions: 259COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: def3b4bbbc00b8da79538a60b91e3752e96726cb19e80ce2625f49f4fe2d16d2
                                            • Instruction ID: 27ff9c64eaa16bfcd26d7f5a84688f78bb062f25854246de3725146088134842
                                            • Opcode Fuzzy Hash: def3b4bbbc00b8da79538a60b91e3752e96726cb19e80ce2625f49f4fe2d16d2
                                            • Instruction Fuzzy Hash: 5AB19970E002099FDF10CFA8D8A57ADBFF2BF48315F14816DD859AB254EB749885CB81
                                            Function 053C9364 Relevance: .2, Instructions: 240COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4f6831632705488454a2739d435cac7915afc08fe14beb057d39717a0ebed3db
                                            • Instruction ID: 15f3685767a37c16105381e770cca6417c165a08985c4782ce13f949b7b8fe2c
                                            • Opcode Fuzzy Hash: 4f6831632705488454a2739d435cac7915afc08fe14beb057d39717a0ebed3db
                                            • Instruction Fuzzy Hash: 21913D35A101049FCB14DFA8D994BADBBB2FF88310F1585A9E806E73A5DB75EC42CB50
                                            Function 053C3E74 Relevance: .2, Instructions: 234COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 777cea6751a46a376eb5e11cd7bb3176449832f5b04f9c968dd6b08cd6d603e7
                                            • Instruction ID: 59dc9b42b2cdcf19a25bf40f2a63435f1e10a0ee13cc89dc98ed15b2dd6b4bf5
                                            • Opcode Fuzzy Hash: 777cea6751a46a376eb5e11cd7bb3176449832f5b04f9c968dd6b08cd6d603e7
                                            • Instruction Fuzzy Hash: 859168B0E002099FDF10CFA8D9957DEBFF2BF48304F148569E449A7254EB749886CB91
                                            Function 053C4810 Relevance: .2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0c627e18ee2cef54a306f8491a47ebdf62e896430c35a9ffcb603cf541423ee
                                            • Instruction ID: d3cdd2b0596135c5ae4898cb200f4fd39efb751a0e86ea8b9661c23e6c6dd1e5
                                            • Opcode Fuzzy Hash: f0c627e18ee2cef54a306f8491a47ebdf62e896430c35a9ffcb603cf541423ee
                                            • Instruction Fuzzy Hash: 2A7168B0E002598FDF14CFA9D89479EBFF2BF88315F148129E419AB254EB749846CB85
                                            Function 053C4804 Relevance: .2, Instructions: 179COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5655da1f88b6b604564742022dc73d922d16b6b117c9b143788db155049770fa
                                            • Instruction ID: 7a183e50440b3dd1caefa6763c2ae2833a22ec696a7c1cdbeccf7dd79bbb37b2
                                            • Opcode Fuzzy Hash: 5655da1f88b6b604564742022dc73d922d16b6b117c9b143788db155049770fa
                                            • Instruction Fuzzy Hash: 7F7177B4E00259CFDF10CFA8D99479DBFF2BF48315F148129E819AB254EB749886CB91
                                            Function 053C6CDC Relevance: .1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f266f068426ebaab89958998b42f739e3e1f5dd8dd5adb436321d494803ba215
                                            • Instruction ID: 2cf3ef5a61098895a417bd6867f13e43118264e92b17eb53c7885bbd0e4c0ec0
                                            • Opcode Fuzzy Hash: f266f068426ebaab89958998b42f739e3e1f5dd8dd5adb436321d494803ba215
                                            • Instruction Fuzzy Hash: 21512371D002288FDB14CFADC949B9DBBB1BF48314F14806EE81ABB351CBB4A845CB91
                                            Function 053C6CE8 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 905cc4948dbf24d5217601e85b6c352393ac1416b138b12589eedea5a1f6738c
                                            • Instruction ID: c637457f93168d15d80d7b9791fd36d803b3ab8b6e65fa6b989a0b26cd0d07f3
                                            • Opcode Fuzzy Hash: 905cc4948dbf24d5217601e85b6c352393ac1416b138b12589eedea5a1f6738c
                                            • Instruction Fuzzy Hash: 18510471D002288FDB14CFADC849B9DBBB1BF48714F14816EE81ABB351DBB4A845CB95
                                            Function 053C1128 Relevance: .1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 83f938ade9211bb606e909a57fa49349c2cc927e1b3043fd68aade615c3bebbf
                                            • Instruction ID: b1d27077ab0a87505061de27d0370691a3ca6ccddaf6d79f23302fa8af6dabce
                                            • Opcode Fuzzy Hash: 83f938ade9211bb606e909a57fa49349c2cc927e1b3043fd68aade615c3bebbf
                                            • Instruction Fuzzy Hash: 8E510A31641156CFCB16FF6AF9909547BBAE792304B044B68E2104F33EDB607949CF54
                                            Function 053C1138 Relevance: .1, Instructions: 112COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61bcedec56ca6dd2de18f60af9f38043dc01895e2fa4fc70ccd6b99897df5f00
                                            • Instruction ID: 3c89b015ae40543388159cb6ff3feeb845ec717501b516f353fcd07ce8edc964
                                            • Opcode Fuzzy Hash: 61bcedec56ca6dd2de18f60af9f38043dc01895e2fa4fc70ccd6b99897df5f00
                                            • Instruction Fuzzy Hash: B851D7306412668FCB16FF6AF9909547BBAE791304B448B69E2104F33EDB607949CF94
                                            Function 053CF1B0 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ef2bd8ff106721c731223e39a7ade7e3327083e2c98f7f9b43133c56125ef35
                                            • Instruction ID: 156e9a7c74115e2789665fd57f8b7be5635753efbfd1392376e47c820096930c
                                            • Opcode Fuzzy Hash: 0ef2bd8ff106721c731223e39a7ade7e3327083e2c98f7f9b43133c56125ef35
                                            • Instruction Fuzzy Hash: 63317035E002059BCF15DFA5D895AAEBBB2FF89300F148519E806E7750DB71EC46CB50
                                            Function 053C26DC Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b32827fbd2af56eb88e0836e4ddc692982b59f12fb204b61ad681cffc1f184ac
                                            • Instruction ID: 97720a1186bbe679a7d5d6fba7374cc734e169235d19fa724ee5d27b337fab6c
                                            • Opcode Fuzzy Hash: b32827fbd2af56eb88e0836e4ddc692982b59f12fb204b61ad681cffc1f184ac
                                            • Instruction Fuzzy Hash: 4F4112B4D00349DFDB10CFA9C884ADEBFB5FF48310F248029E849AB254DB75A945CB90
                                            Function 053CF1C0 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37e233914007db20074a895a7a1ae5c7edf898cc7510c0a3d08e18de384edd45
                                            • Instruction ID: 2a2ab03e5a064768026f33668767e2a4b828421b71c5ce2476b5c0b0c8312ef5
                                            • Opcode Fuzzy Hash: 37e233914007db20074a895a7a1ae5c7edf898cc7510c0a3d08e18de384edd45
                                            • Instruction Fuzzy Hash: 7F315C39E006059BCF15DFA5D894AAEBBB7BF89300F148929E806E7750DB71EC46CB50
                                            Function 053C26E8 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 63005b8516aebf0d22c4ddaa562e9b8a6746f3700f872aec39c38f0d40adb3ea
                                            • Instruction ID: b5eb18f30a4cd0f09ef8c841e297102720a5f4eb9fda9e2abd1a9d80dc27ee00
                                            • Opcode Fuzzy Hash: 63005b8516aebf0d22c4ddaa562e9b8a6746f3700f872aec39c38f0d40adb3ea
                                            • Instruction Fuzzy Hash: 1C41F0B4D00349DFDB10CFA9C984ADEBFB5FF48314F148429E809AB254DB75A985CB90
                                            Function 053C9250 Relevance: .1, Instructions: 83COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a004be34942aa0f0086bfba9c7d8765bb2b775ffdcedd071b4aa283714f7d5c0
                                            • Instruction ID: 41fc60284bb9d79acf06922000af1c703d80e4bcb24da68bc478fdd5463b2253
                                            • Opcode Fuzzy Hash: a004be34942aa0f0086bfba9c7d8765bb2b775ffdcedd071b4aa283714f7d5c0
                                            • Instruction Fuzzy Hash: 5E316F32E002099BCF05CFA5D884BAEFB72BF89304F548559E806AB241DB70E8468B50
                                            Function 053C9260 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b7b4a88a769e2497b45f46cf4ce8e9012eb18f36f4d8e0c7ab280b4152f481ac
                                            • Instruction ID: bae08df55569888a094c53ba9ae97aca5d8ce9a335a39344858199195e849c28
                                            • Opcode Fuzzy Hash: b7b4a88a769e2497b45f46cf4ce8e9012eb18f36f4d8e0c7ab280b4152f481ac
                                            • Instruction Fuzzy Hash: 0B215331E002099BCF05DFA5D894BAEFBB2BF89300F558659E406EB351DBB1AC46CB50
                                            Function 053C16A0 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bde5d338d0a05266780a3aa9cbcd404a8e90e4abb8d624c0e1646e79dee2084a
                                            • Instruction ID: d731d4a0ef5661c55f0813e0ff651aa97cf2b6dbb849973ff11008754833d35e
                                            • Opcode Fuzzy Hash: bde5d338d0a05266780a3aa9cbcd404a8e90e4abb8d624c0e1646e79dee2084a
                                            • Instruction Fuzzy Hash: 7E21A4345101114FDF26FB25E884B697B66FB45304F104BA5E416CB36AEBA4DC89CB91
                                            Function 053C9150 Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3915f1b18cc1523ebb59abcfffe939a6a20d5dd0ed6b6befad12beb1dbe36f27
                                            • Instruction ID: bd45ae937a694a968643af0e8ed4ac53299abdd81209359367b8ee5850a15ec6
                                            • Opcode Fuzzy Hash: 3915f1b18cc1523ebb59abcfffe939a6a20d5dd0ed6b6befad12beb1dbe36f27
                                            • Instruction Fuzzy Hash: 45215136E002099BDF19CFA4D845AEEBBB2BF89304F15855EE816B7340DB70AC46CB51
                                            Function 0133D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3035075786.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_133d000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c01bb0c2dd17d5c805bc6fcf1f0a775e954a69acc97a7f50a0a9c0ffef9a4d5
                                            • Instruction ID: 88d59de2bec90c035b5cd49ae2aabf0476227f3c0c18b4c0cf1b069dc8da63ec
                                            • Opcode Fuzzy Hash: 1c01bb0c2dd17d5c805bc6fcf1f0a775e954a69acc97a7f50a0a9c0ffef9a4d5
                                            • Instruction Fuzzy Hash: AA213070604204DFCB11DF68D980B26FBA5EB84B18F60C569D80A4B256C33AC446CA61
                                            Function 053C1380 Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28e70de87f01931e00f266ed470afe0c9ee05c7e19cf945143a7c0ed85377def
                                            • Instruction ID: d2d6867ed7e066a3d0ef9a9ffe11ba2ce4b318282f2736b063b8c852849bc26f
                                            • Opcode Fuzzy Hash: 28e70de87f01931e00f266ed470afe0c9ee05c7e19cf945143a7c0ed85377def
                                            • Instruction Fuzzy Hash: DD21C070A052018BDB356B68E489BBD7E32F706315F1008EEF447CB7A6DAA9CC85C742
                                            Function 053C9160 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c7aeac7e4558d2d67cbf37daf0f2c3dde348196724daea98cc116064dbed8067
                                            • Instruction ID: 283f991ae75f140bc1661d4a7eacc984b9f4e5b7546a1780ddfddc175dc713de
                                            • Opcode Fuzzy Hash: c7aeac7e4558d2d67cbf37daf0f2c3dde348196724daea98cc116064dbed8067
                                            • Instruction Fuzzy Hash: 5D218335E0020A9BCF19CFA4D845ADEBBB6BF89304F11855AE816B7340DBB0EC46CB51
                                            Function 053C4F88 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 357f825b8133e11a90983a7fa72be6d19d5048aed68e2caee5359d4390d899fd
                                            • Instruction ID: c7156000edc0116e6ff1172446428a18aaa05b73e1b16f16045caf589a7ae9ca
                                            • Opcode Fuzzy Hash: 357f825b8133e11a90983a7fa72be6d19d5048aed68e2caee5359d4390d899fd
                                            • Instruction Fuzzy Hash: 4221F934700215CFCB54EF78D558AAD7BF5BB48201F1044A9E506EB3A5EB76AD00CB90
                                            Function 053C1888 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef070b3f9ab715b15ec6e8c618a0cd318b42b7a66600727c95716bec5bdaf2d9
                                            • Instruction ID: b1e4267b233df0c28f8f2996854962c66af45218d66128f418919dd9e0a6f6c9
                                            • Opcode Fuzzy Hash: ef070b3f9ab715b15ec6e8c618a0cd318b42b7a66600727c95716bec5bdaf2d9
                                            • Instruction Fuzzy Hash: 4A215730B04215CFDF14EB68C514AAE7BF6AB89204F2004ACD506EB7A5DB76DD41EBA1
                                            Function 053C16B0 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b23973f48c4a53eeef112f101a34ea4a281e9a83feddf13ee05dd80b9a3c0e5
                                            • Instruction ID: fb3e8ef3e8d26131cf2deb22fa0d5aedcc36e4820bf9c3bf81f243ad6b598c8b
                                            • Opcode Fuzzy Hash: 9b23973f48c4a53eeef112f101a34ea4a281e9a83feddf13ee05dd80b9a3c0e5
                                            • Instruction Fuzzy Hash: 2D2163342101114FDF16FB29E884B6A7B66FB45304F104BB5F416CB36AEBA4DC49CB91
                                            Function 053C4F98 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8e54196137aa4a79de77e5f302c793a0163b092b346da58ee4fa02f3c0b16b05
                                            • Instruction ID: cbacea775c894c7262c199c7a978d66e7901ab796ae5eef8b499f82bc386a0cc
                                            • Opcode Fuzzy Hash: 8e54196137aa4a79de77e5f302c793a0163b092b346da58ee4fa02f3c0b16b05
                                            • Instruction Fuzzy Hash: 2C21E934700215CFCB18EF79D558AAD7BF5BB48701F1044A8E506EB3A4EB76AD00CBA1
                                            Function 053C1879 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f686bed0b3bc444192bb9b5f32c78a673703738c9a783d0605b1b6aa724a6dc7
                                            • Instruction ID: bb0dd7b3599b42ee07e5747e515eb6e1c0d7ef9ff97fbdfc578f8d5805940b00
                                            • Opcode Fuzzy Hash: f686bed0b3bc444192bb9b5f32c78a673703738c9a783d0605b1b6aa724a6dc7
                                            • Instruction Fuzzy Hash: 13219530B04215CFDF24EF68C5186AE3BB6BB48204F2005ACD502EB3A5DB769D01EBA1
                                            Function 0133D006 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3035075786.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_133d000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 980e6a0513cdc4dc2519b50d43afb11ed525f29aa171f77dedbaacdd982ef200
                                            • Instruction ID: 304652c91ffd29bf93fd1c433a04af5e311d4498d3818e1278ee5a37ed65112c
                                            • Opcode Fuzzy Hash: 980e6a0513cdc4dc2519b50d43afb11ed525f29aa171f77dedbaacdd982ef200
                                            • Instruction Fuzzy Hash: 602150755083809FDB02CF64D994B11BF71EB86618F28C5DAD8498F267C33A985ACB62
                                            Function 053C0838 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ee2887accb2576c5aaa4bd2c3dc991b6857318a540fdc91558a75b045e596134
                                            • Instruction ID: 1b5ffef14db1478f7ee49e85bd68f17cb6d4644e6b2d2603e85d665232af871c
                                            • Opcode Fuzzy Hash: ee2887accb2576c5aaa4bd2c3dc991b6857318a540fdc91558a75b045e596134
                                            • Instruction Fuzzy Hash: 5D11C131A10345CBDF2ADA75C448B7E3AA2FB41314F10C9BDE416DF240DAA5CC814BD1
                                            Function 053C0848 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f020c61125e31c27c865694deee374e0cf644cf4dcaae658e1542652b3e1394
                                            • Instruction ID: 0c000f65806c0736aeafef754ca8788af464139bcf2f23d56e2a58090bfa5678
                                            • Opcode Fuzzy Hash: 2f020c61125e31c27c865694deee374e0cf644cf4dcaae658e1542652b3e1394
                                            • Instruction Fuzzy Hash: 40118B30B10345CFDF1A9A69D448B7E7AA6FB45210F108ABDE016DF350DAA1CC858BD1
                                            Function 053C80F1 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 74e4a5dc31580a297a1b62beabe9ceea156b6c621e88343cd128ef36fea0d943
                                            • Instruction ID: 3ae826db9c41dc1f8fbfe90889efdb0b58fb03a02343e18b5a94ed6a635c2fe4
                                            • Opcode Fuzzy Hash: 74e4a5dc31580a297a1b62beabe9ceea156b6c621e88343cd128ef36fea0d943
                                            • Instruction Fuzzy Hash: B1116334A00119EFCF01EBA9E940A9DBBB5FB44304F1086B9E505DB355DB71EE498B91
                                            Function 053C17C2 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8422960438c16c109059607a1eb858064030bc2e0ec95c495f9a680a34b00d72
                                            • Instruction ID: ec6cb1d4ea68030e16849fc27dcf4ac119384fa3e4f6e1958e11d3a56ad3e667
                                            • Opcode Fuzzy Hash: 8422960438c16c109059607a1eb858064030bc2e0ec95c495f9a680a34b00d72
                                            • Instruction Fuzzy Hash: B611CE76F042159BCF11AF79984969F7FEAFB48650F100669EA09D3341EB70DC02CB81
                                            Function 053C148E Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c0bc52cd527e2f42a5f8dd226384728efac3ba6306c10ccc48ab76c9bcfaaeb
                                            • Instruction ID: 5799bf46ae1e8386bbac3040328a52aa0a95614c6ec158707808159739d7df8b
                                            • Opcode Fuzzy Hash: 6c0bc52cd527e2f42a5f8dd226384728efac3ba6306c10ccc48ab76c9bcfaaeb
                                            • Instruction Fuzzy Hash: E3110031A002559FCB25AFB888595AEBFF5EB48210F1404FED805E7305E676DD82CBA1
                                            Function 053C1498 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4c5afe1096f16aaf0a346c18419e3d1dac069978668273981a8b6b37ced0688f
                                            • Instruction ID: 6c19ea13f4b1e0bfb85e175c5e8934e331488340d22bf5665281d538877014b6
                                            • Opcode Fuzzy Hash: 4c5afe1096f16aaf0a346c18419e3d1dac069978668273981a8b6b37ced0688f
                                            • Instruction Fuzzy Hash: 12011E31A002149FCB25EFB884585AEBAB5AB48210F2404FED805E7305EA76DD81CBA1
                                            Function 053C1524 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b5eab2e5af21854a319d12c8bcaaef3d0c21a7cf55b2aebc71d2c82ae1b0dde9
                                            • Instruction ID: b7f143ad0976f6f1864dcc33736e5dcf0ac63a94592ccfe01cc4ce5c49fa994f
                                            • Opcode Fuzzy Hash: b5eab2e5af21854a319d12c8bcaaef3d0c21a7cf55b2aebc71d2c82ae1b0dde9
                                            • Instruction Fuzzy Hash: 1EF0F632A08150CFD7229BE498941ACBF71FE54111B5800DFC406DB616D662DD42E711
                                            Function 053C7090 Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa6e05b6b3a9a38121af6c13bbf71bfd252fc0ae3d3090583a8813b1e18c0a20
                                            • Instruction ID: 9e21d04f4ce0d26eb6326539371e4b1635b2ba37912ce44be52c1048ff511808
                                            • Opcode Fuzzy Hash: aa6e05b6b3a9a38121af6c13bbf71bfd252fc0ae3d3090583a8813b1e18c0a20
                                            • Instruction Fuzzy Hash: 72F0C439B001188FC718EF74D599AADB7B2EF88616F1140A9E5069B3A4DF35AD42CB41
                                            Function 053C8100 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.3038252290.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_53c0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 72053e0bd7d67444ed47eeab26899927b997169b871cd5d290574b07ab714e90
                                            • Instruction ID: a993b6e33e9b88f969ca0a1b8f70b12baf9fa835766c56afe942756ced7be394
                                            • Opcode Fuzzy Hash: 72053e0bd7d67444ed47eeab26899927b997169b871cd5d290574b07ab714e90
                                            • Instruction Fuzzy Hash: 9CF0EC74900119EFCF01FBA9F980A9DBBB5EB44304F508779D5099B368EB316E498B91