Edit tour

Windows Analysis Report
PO P24-1100.exe

Overview

General Information

Sample name:	PO P24-1100.exe
Analysis ID:	1559494
MD5:	d407b5bfa95d6549fceb3acd0a791c2b
SHA1:	f368052bae8505671cbdbab47acfe5994dc14417
SHA256:	11013cdd71339c3aac7041ef80912c8c03786f5967d58c539af0d560687089e8
Tags:	AgentTeslaexeuser-xzx
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

PO P24-1100.exe (PID: 6768 cmdline: "C:\Users\user\Desktop\PO P24-1100.exe" MD5: D407B5BFA95D6549FCEB3ACD0A791C2B)

powershell.exe (PID: 4900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO P24-1100.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PO P24-1100.exe (PID: 2596 cmdline: "C:\Users\user\Desktop\PO P24-1100.exe" MD5: D407B5BFA95D6549FCEB3ACD0A791C2B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2944805908.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1732307986.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000002.2947100789.0000000002971000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2947100789.0000000002971000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PO P24-1100.exe PID: 6768	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO P24-1100.exe PID: 2596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO P24-1100.exe PID: 2596	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.PO P24-1100.exe.3f0a580.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.2.PO P24-1100.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO P24-1100.exe.3ee1560.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO P24-1100.exe.3f0a580.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO P24-1100.exe.3ee1560.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO P24-1100.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO P24-1100.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO P24-1100.exe", ParentImage: C:\Users\user\Desktop\PO P24-1100.exe, ParentProcessId: 6768, ParentProcessName: PO P24-1100.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO P24-1100.exe", ProcessId: 4900, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO P24-1100.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO P24-1100.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO P24-1100.exe", ParentImage: C:\Users\user\Desktop\PO P24-1100.exe, ParentProcessId: 6768, ParentProcessName: PO P24-1100.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO P24-1100.exe", ProcessId: 4900, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PO P24-1100.exe

Avira: detected

Found malware configuration

Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}

Multi AV Scanner detection for submitted file

Source: PO P24-1100.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PO P24-1100.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: /log.tmp
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <br>[
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ]<br>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <br>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Time:
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <br>User Name:
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <br>Computer Name:
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <br>OSFullName:
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <br>CPU:
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <br>RAM:
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <br>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: IP Address:
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <br>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <hr>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: New
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: IP Address:
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: false
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: false
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: false
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: false
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: false
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: false
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: false
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: false
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: false
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: mail.mbarieservicesltd.com
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: saless@mbarieservicesltd.com
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: *o9H+18Q4%;M
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: iinfo@mbarieservicesltd.com
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: false
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: false
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: appdata
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: KTvkzEc
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: KTvkzEc.exe
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: KTvkzEc
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Type
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <br>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <hr>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <br>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <b>[
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ]</b> (
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: )<br>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {BACK}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {ALT+TAB}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {ALT+F4}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {TAB}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {ESC}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {Win}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {CAPSLOCK}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {KEYUP}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {KEYDOWN}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {KEYLEFT}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {KEYRIGHT}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {DEL}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {END}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {HOME}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {Insert}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {NumLock}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {PageDown}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {PageUp}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {ENTER}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {F1}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {F2}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {F3}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {F4}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {F5}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {F6}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {F7}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {F8}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {F9}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {F10}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {F11}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {F12}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: control
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {CTRL}
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: &
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: >
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: "
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <hr>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: logins
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: IE/Edge
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Windows Secure Note
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Windows Web Password Credential
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Web Credentials
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Windows Credentials
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Windows Domain Password Credential
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Windows Extended Credential
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SchemaId
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: pResourceElement
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: pIdentityElement
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: pPackageSid
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: IE/Edge
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: UC Browser
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: UCBrowser\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Login Data
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: journal
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: wow_logins
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Safari for Windows
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <array>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <dict>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <string>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: </string>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <string>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: </string>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <data>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: </data>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Microsoft\Protect\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: credential
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: QQ Browser
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Profile
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \EncryptedStorage
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: entries
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: category
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: str3
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: str2
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: blob0
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: password_value
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: IncrediMail
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: PopPassword
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SmtpPassword
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Accounts_New
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: PopPassword
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SmtpPassword
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SmtpServer
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: EmailAddress
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Eudora
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: current
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Settings
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SavePasswordText
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Settings
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ReturnAddress
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Falkon Browser
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \falkon\profiles\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: profiles.ini
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: profiles.ini
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \browsedata.db
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: autofill
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ClawsMail
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Claws-mail
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \clawsrc
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \clawsrc
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: passkey0
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \accountrc
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: smtp_server
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: address
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: account
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \passwordstorerc
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Flock Browser
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: APPDATA
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Flock\Browser\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: signons3.txt
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: DynDns
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: username=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: password=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: https://account.dyn.com/
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: t6KzXhCh
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: global
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: accounts
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: account.
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: username
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: account.
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Psi/Psi+
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: name
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Psi/Psi+
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: APPDATA
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Psi\profiles
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: APPDATA
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Psi+\profiles
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \accounts.xml
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \accounts.xml
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: OpenVPN
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: username
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: auth-data
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: entropy
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: USERPROFILE
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \OpenVPN\config\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: remote
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: remote
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: NordVPN
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: NordVPN
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: NordVpn.exe*
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: user.config
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: NordVPN
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Private Internet Access
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: %ProgramW6432%
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Private Internet Access\data
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Private Internet Access\data
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \account.json
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ."username":"(.?)"
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ."password":"(.?)"
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Private Internet Access
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: privateinternetaccess.com
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: FileZilla
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: APPDATA
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: APPDATA
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <Server>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <Host>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <Host>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: </Host>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <Port>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: </Port>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <User>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <User>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: </User>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: </Pass>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <Pass>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: </Pass>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: CoreFTP
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: User
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Host
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Port
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: WinSCP
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: HostName
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: UserName
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: PublicKeyFile
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: PortNumber
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: WinSCP
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ABCDEF
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Flash FXP
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: port
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: user
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: pass
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: quick.dat
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Sites.dat
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \FlashFXP\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \FlashFXP\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: FTP Navigator
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SystemDrive
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Server
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: No Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: User
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SmartFTP
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: APPDATA
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: WS_FTP
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: appdata
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: HOST
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: PWD=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: PWD=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: FtpCommander
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SystemDrive
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SystemDrive
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SystemDrive
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ;Password=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ;User=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ;Server=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ;Port=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ;Port=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ;Password=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ;User=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ;Anonymous=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: FTPGetter
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <server>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <server_ip>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <server_ip>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: </server_ip>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <server_port>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: </server_port>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <server_user_name>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <server_user_name>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: </server_user_name>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <server_user_password>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: <server_user_password>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: </server_user_password>
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: FTPGetter
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: The Bat!
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: appdata
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \The Bat!
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Account.CFN
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Account.CFN
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Becky!
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: DataDir
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Folder.lst
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Mailbox.ini
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Account
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: PassWd
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Account
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SMTPServer
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Account
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: MailAddress
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Becky!
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Outlook
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Email
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: IMAP Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: POP3 Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: HTTP Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SMTP Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Email
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Email
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Email
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: IMAP Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: POP3 Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: HTTP Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SMTP Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Server
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Windows Mail App
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Email
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Server
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SchemaId
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: pResourceElement
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: pIdentityElement
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: pPackageSid
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: syncpassword
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: mailoutgoing
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: FoxMail
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Executable
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: FoxmailPath
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Storage\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Storage\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \mail
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \mail
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Account.stg
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Account.stg
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: POP3Host
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SMTPHost
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: IncomingServer
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Account
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: MailAddress
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: POP3Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Opera Mail
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: opera:
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: PocoMail
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: appdata
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Email
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: POPPass
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SMTPPass
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SMTP
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: eM Client
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: eM Client\accounts.dat
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: eM Client
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Accounts
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: "Username":"
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: "Secret":"
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: "ProviderName":"
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: o6806642kbM7c5
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Mailbird
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SenderIdentities
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Accounts
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Server_Host
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Accounts
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Email
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Username
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: EncryptedPassword
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Mailbird
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: RealVNC 4.x
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: RealVNC 3.x
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: RealVNC 4.x
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: RealVNC 3.x
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: TightVNC
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: TightVNC
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: PasswordViewOnly
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: TightVNC ControlPassword
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ControlPassword
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: TigerVNC
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Password
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: UltraVNC
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: passwd
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: UltraVNC
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: passwd2
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: UltraVNC
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ProgramFiles
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: passwd
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: UltraVNC
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ProgramFiles
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: passwd2
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: UltraVNC
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ProgramFiles
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: passwd
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: UltraVNC
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ProgramFiles
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: passwd2
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: UltraVNC
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: passwd
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: UltraVNC
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: passwd2
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: JDownloader 2.0
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Paltalk
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
Source: 0.2.PO P24-1100.exe.3ee1560.3.unpack	String decryptor: nickname

Source: PO P24-1100.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO P24-1100.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: xlCv.pdbSHA256 source: PO P24-1100.exe
Source:	Binary string: xlCv.pdb source: PO P24-1100.exe

Source: unknown

DNS traffic detected: query: mail.mbarieservicesltd.com replaycode: Server failure (2)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.mbarieservicesltd.com

Source: PO P24-1100.exe, 00000000.00000002.1731687325.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 0_2_00E4DF64	0_2_00E4DF64
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 0_2_02BE7C08	0_2_02BE7C08
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 0_2_02BEA0B1	0_2_02BEA0B1
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 0_2_02BE001B	0_2_02BE001B
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 0_2_02BE0040	0_2_02BE0040
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 0_2_051E9DE8	0_2_051E9DE8
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 0_2_051EACB0	0_2_051EACB0
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 0_2_051E646C	0_2_051E646C
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 0_2_051E8B5A	0_2_051E8B5A
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 0_2_0AA60448	0_2_0AA60448
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 0_2_0AA61AF8	0_2_0AA61AF8
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_00B14140	3_2_00B14140
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_00B14D58	3_2_00B14D58
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_00B14488	3_2_00B14488
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_062037F8	3_2_062037F8
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_062019A0	3_2_062019A0
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_0628C220	3_2_0628C220
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_06289C23	3_2_06289C23
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_06280040	3_2_06280040
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_062894A0	3_2_062894A0
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_0628A8F8	3_2_0628A8F8
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_062871D0	3_2_062871D0
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_062839E8	3_2_062839E8
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_062839D8	3_2_062839D8
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_06280028	3_2_06280028

Source: PO P24-1100.exe, 00000000.00000002.1731687325.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PO P24-1100.exe
Source: PO P24-1100.exe, 00000000.00000002.1735468081.0000000005410000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO P24-1100.exe
Source: PO P24-1100.exe, 00000000.00000002.1738194356.00000000078E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO P24-1100.exe
Source: PO P24-1100.exe, 00000000.00000000.1696283657.000000000088E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexlCv.exeB vs PO P24-1100.exe
Source: PO P24-1100.exe, 00000000.00000002.1732307986.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PO P24-1100.exe
Source: PO P24-1100.exe, 00000000.00000002.1732307986.0000000003D19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO P24-1100.exe
Source: PO P24-1100.exe, 00000000.00000002.1731687325.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO P24-1100.exe
Source: PO P24-1100.exe, 00000000.00000002.1725265698.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO P24-1100.exe
Source: PO P24-1100.exe, 00000003.00000002.2945839858.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO P24-1100.exe
Source: PO P24-1100.exe, 00000003.00000002.2944805908.000000000042C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PO P24-1100.exe
Source: PO P24-1100.exe, 00000003.00000002.2944994303.0000000000939000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO P24-1100.exe
Source: PO P24-1100.exe	Binary or memory string: OriginalFilenamexlCv.exeB vs PO P24-1100.exe

Source: PO P24-1100.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO P24-1100.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO P24-1100.exe.3f0a580.1.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO P24-1100.exe.3f0a580.1.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.PO P24-1100.exe.3f0a580.1.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO P24-1100.exe.3f0a580.1.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO P24-1100.exe.3f0a580.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO P24-1100.exe.3f0a580.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO P24-1100.exe.3f0a580.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO P24-1100.exe.3f0a580.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, GfgLj0u1p422pIcK9p.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, ddSoI96RcnCUBdaTbJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, ddSoI96RcnCUBdaTbJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, ddSoI96RcnCUBdaTbJ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, GfgLj0u1p422pIcK9p.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, ddSoI96RcnCUBdaTbJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, ddSoI96RcnCUBdaTbJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, ddSoI96RcnCUBdaTbJ.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/6@4/0

Source: C:\Users\user\Desktop\PO P24-1100.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO P24-1100.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\PO P24-1100.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2172:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1u0lg1i.cy2.ps1

Jump to behavior

Source: PO P24-1100.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO P24-1100.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PO P24-1100.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO P24-1100.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO P24-1100.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO P24-1100.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO P24-1100.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\PO P24-1100.exe "C:\Users\user\Desktop\PO P24-1100.exe"
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO P24-1100.exe"
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process created: C:\Users\user\Desktop\PO P24-1100.exe "C:\Users\user\Desktop\PO P24-1100.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO P24-1100.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process created: C:\Users\user\Desktop\PO P24-1100.exe "C:\Users\user\Desktop\PO P24-1100.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO P24-1100.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO P24-1100.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO P24-1100.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO P24-1100.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO P24-1100.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PO P24-1100.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: xlCv.pdbSHA256 source: PO P24-1100.exe
Source:	Binary string: xlCv.pdb source: PO P24-1100.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: PO P24-1100.exe, MainForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, ddSoI96RcnCUBdaTbJ.cs	.Net Code: jiECT8e0ky System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, ddSoI96RcnCUBdaTbJ.cs	.Net Code: jiECT8e0ky System.Reflection.Assembly.Load(byte[])

Source: PO P24-1100.exe

Static PE information: 0x860193C9 [Sat Mar 30 09:58:33 2041 UTC]

Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 0_2_051E70D2 push ecx; ret	0_2_051E710C
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_00B113A7 pushfd ; ret	3_2_00B11338
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_06286636 pushfd ; ret	3_2_06286639
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_0628711C pushfd ; ret	3_2_0628713B
Source: C:\Users\user\Desktop\PO P24-1100.exe	Code function: 3_2_062865D0 pushfd ; ret	3_2_062865D2

Source: PO P24-1100.exe

Static PE information: section name: .text entropy: 7.978390411078157

Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, rSiaS8zbHOupgjKMqr.cs	High entropy of concatenated method names: 'vWfirehODm', 'jA6iufCxLZ', 'zJki33yTgw', 'wAKidR0oHs', 'keUip2IID6', 'SPKiHhTapv', 'WtWitOJvvG', 'U9XiD6SXV6', 'YO9if7u0l8', 'T8riMNW7XA'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, CwLFuwCRtlry8Ihr9x.cs	High entropy of concatenated method names: 'qHdmKfgLj0', 'Tp4m622pIc', 'SRpmlgEOnf', 'hr7mVhGKTZ', 'r7EmoND5Im', 'KqSmvwIUNV', 'bCaAa0NvQOCbua33a6', 'q7ZvORV0IvkwtHYn0w', 'xD7mm2yeT4', 'IeHmEbYj5L'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, I8k69bBhcJk8XM1Loc.cs	High entropy of concatenated method names: 'ToString', 'vwtvImMaVm', 'E3kvpiNKfZ', 'NEKvxB3CcU', 'rjcvHH88mO', 'yLkvtaHX13', 'j0pvc71MSs', 'QcevWfBnEY', 'SGDvkscNNw', 'nh8vOtYTR9'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, eZQMwHWHjPXCvp9K5E.cs	High entropy of concatenated method names: 'lNYK4irwqR', 'RSUK5ioZ1J', 'bkZKbby2uO', 'DA7bwYGjjP', 'u5ZbzP5VOq', 'Xp8KnZFsVF', 'tKTKmTeINj', 'uZpKapVa5o', 'cCkKELp561', 'zqEKCrcPkf'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, AGRIdmacD34X8JqfqL.cs	High entropy of concatenated method names: 'XSPTt801l', 'cViFLpj7u', 'geerPxDsE', 'ltbPT9du2', 'iyX3397Ha', 'O5ZAuTYoY', 'd1SqBwAZ3Eg3GAVYBM', 'Ych46CBgaTsZOBKXiJ', 'kCf9ZyJOx', 'H0disVCcH'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, bf22oHyxkktqlUGEyJ.cs	High entropy of concatenated method names: 'NnfUoZbLFK', 'aPvULvT26m', 'n9KUUrWEmi', 'rJGUZwZ56h', 'MSLUhlMgN1', 'CgmUD14tyD', 'Dispose', 'UNQ94uZwYB', 'tbW9qT1SRh', 'HaM95u6ftn'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, GfgLj0u1p422pIcK9p.cs	High entropy of concatenated method names: 'S2pqs9Y6rc', 'ysJqYpXFU3', 'n9AqBLPmpN', 'isoq1NWyL6', 'AIJqjUBVUS', 'MhQqG25BBH', 'mWuqyDR912', 'CrdqQaNO6Q', 'OSLqNTcbKu', 'qvLqwi0W32'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, jHGFeomCxQWPJ8T99Yt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ser8UXtkPA', 'mAY8ieeN0o', 'Xd38Z3FFOg', 'd3G887OPJe', 'KPP8hKGoQJ', 'c4n80Wu3A2', 'Ol98DfflVN'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, qoISy3O3y1fmTU4uUb.cs	High entropy of concatenated method names: 'd0hKfUWQr3', 'wJ8KM8BZSk', 'eF9KTDIPiD', 'R96KFScDH9', 'l1QKef2qwu', 'qjXKrTJJme', 'JVXKPAYcKv', 'XguKueBCOe', 'EudK33r25X', 'SR3KAmyjq1'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, NC33vps37PRKumb6WG.cs	High entropy of concatenated method names: 'dO5ogxFJbk', 'wCGoSo3ViP', 'YqMos2STp7', 'Q88oYG1rCJ', 'wnYopfSv6c', 'eIwoxmSXlE', 'LkLoHwVUmY', 'bxuotJCvRk', 'Bsgoc8cjge', 'Le3oWse54f'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, giDPdkwbniocP5qfiG.cs	High entropy of concatenated method names: 'v7Vi5g9UQt', 'vfTiXb99OK', 'NZvibBcUf4', 'jBriKexCxl', 'n6kiU6qV9f', 'Wc9i6BkPYD', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, PidoDDqUDqWxXxx5PB.cs	High entropy of concatenated method names: 'Dispose', 'MtqmNlUGEy', 'NphapTLgBW', 'DYm0Tfo9uX', 'Q6emwUCR1k', 'eOemz6j3GH', 'ProcessDialogKey', 'iJLanTT9e5', 'Q1BamdKikT', 'sQYaaqiDPd'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, Lq1kpNmmQkyvFgE8dID.cs	High entropy of concatenated method names: 'g1PiwLUkgU', 'sPoizEdRUa', 'pOKZnYiKEs', 'AGxZm41Ucl', 'JMPZaMoGUD', 'g7nZE0hjOx', 'qcLZCAyfHS', 'i7EZ24cjrQ', 'CqnZ4NNYqd', 'ChsZqtSoFU'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, aOhgWcmndciGiypg5s2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qVoiI2ewNQ', 'SOTiSoSMdm', 's5LiJd5yn6', 'mRbisLqsIx', 'Q35iYAkRbq', 'DOjiBVIwVn', 'iERi1ExPeA'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, K93061JJd1VbooLmkd.cs	High entropy of concatenated method names: 'sCuRul3W2D', 'lccR3p91Gk', 'pHFRdvTPOm', 'iCqRpdYvfP', 'CDaRHpmMb8', 'qgwRtMZSvt', 'gRjRWf7JSH', 'xhSRkuGsMx', 'rrgRgSXWqB', 'n8URIcRCFZ'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, EfUtvJ13YEuCM8k0GW.cs	High entropy of concatenated method names: 'RRuLl7b829', 'CWILVrYmO5', 'ToString', 'HFWL477ofY', 'HG3LqhcIjU', 'UlEL5IwjHo', 'QQqLXPnMLd', 'MBQLb8dGhp', 'aAZLKV8kHd', 'cSiL6i9KMk'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, qTT9e5Ns1BdKikTiQY.cs	High entropy of concatenated method names: 'eyQUdVlWEG', 'iDhUpa5KFv', 'hgZUxCeBEg', 'KrlUHfanb2', 'PDsUtAgP0S', 'umgUcLYlgU', 'yjlUWLyZbH', 'QE1UkTu5ZK', 'wFVUOE9Clq', 'hEfUg9yFPU'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, ddSoI96RcnCUBdaTbJ.cs	High entropy of concatenated method names: 'XEcE2QuNpg', 'kIFE4SJ4Bi', 'LNJEqKJnht', 'ukEE5woaGL', 'qdZEX7wiAo', 'OABEb7GMyW', 'yGbEK6mr5B', 'WqFE6Qr3ee', 'RKmE7c2McU', 'LZiEl0OqGj'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, y9BhMB3RpgEOnf5r7h.cs	High entropy of concatenated method names: 'o0Z5FGeXan', 'hOb5rdIYCn', 'V345uHKepg', 'vgJ53nIh9b', 'Aho5o4yBBk', 'PmU5vWFHCw', 'OX75L3WVMM', 'XOy59F17ph', 'VBq5Ugo8rG', 'PgN5i7IPKt'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, hImcqSdwIUNV0IcXpy.cs	High entropy of concatenated method names: 'qM1b2sJC8x', 'GJqbqj0m7D', 'fODbXEKKbZ', 'nSsbKBUYtQ', 'IbAb6Bs7mF', 'z2LXjfppYp', 'DLxXGe3I1O', 'OxUXySQqP7', 'z7HXQOk4Ec', 'o7SXNJvPIs'
Source: 0.2.PO P24-1100.exe.78e0000.5.raw.unpack, k4P9W7GiW52QidbN6E.cs	High entropy of concatenated method names: 'IpILQ5NdoK', 'Rl7LwtT7BR', 'O0A9nKJJgb', 'LEJ9mK8eyc', 'RQ1LIygdRl', 'NsjLSmJHB4', 'KecLJP33hW', 'FEfLsa5MNY', 'p7ILYKLEM6', 'N3xLBMn5Vs'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, rSiaS8zbHOupgjKMqr.cs	High entropy of concatenated method names: 'vWfirehODm', 'jA6iufCxLZ', 'zJki33yTgw', 'wAKidR0oHs', 'keUip2IID6', 'SPKiHhTapv', 'WtWitOJvvG', 'U9XiD6SXV6', 'YO9if7u0l8', 'T8riMNW7XA'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, CwLFuwCRtlry8Ihr9x.cs	High entropy of concatenated method names: 'qHdmKfgLj0', 'Tp4m622pIc', 'SRpmlgEOnf', 'hr7mVhGKTZ', 'r7EmoND5Im', 'KqSmvwIUNV', 'bCaAa0NvQOCbua33a6', 'q7ZvORV0IvkwtHYn0w', 'xD7mm2yeT4', 'IeHmEbYj5L'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, I8k69bBhcJk8XM1Loc.cs	High entropy of concatenated method names: 'ToString', 'vwtvImMaVm', 'E3kvpiNKfZ', 'NEKvxB3CcU', 'rjcvHH88mO', 'yLkvtaHX13', 'j0pvc71MSs', 'QcevWfBnEY', 'SGDvkscNNw', 'nh8vOtYTR9'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, eZQMwHWHjPXCvp9K5E.cs	High entropy of concatenated method names: 'lNYK4irwqR', 'RSUK5ioZ1J', 'bkZKbby2uO', 'DA7bwYGjjP', 'u5ZbzP5VOq', 'Xp8KnZFsVF', 'tKTKmTeINj', 'uZpKapVa5o', 'cCkKELp561', 'zqEKCrcPkf'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, AGRIdmacD34X8JqfqL.cs	High entropy of concatenated method names: 'XSPTt801l', 'cViFLpj7u', 'geerPxDsE', 'ltbPT9du2', 'iyX3397Ha', 'O5ZAuTYoY', 'd1SqBwAZ3Eg3GAVYBM', 'Ych46CBgaTsZOBKXiJ', 'kCf9ZyJOx', 'H0disVCcH'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, bf22oHyxkktqlUGEyJ.cs	High entropy of concatenated method names: 'NnfUoZbLFK', 'aPvULvT26m', 'n9KUUrWEmi', 'rJGUZwZ56h', 'MSLUhlMgN1', 'CgmUD14tyD', 'Dispose', 'UNQ94uZwYB', 'tbW9qT1SRh', 'HaM95u6ftn'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, GfgLj0u1p422pIcK9p.cs	High entropy of concatenated method names: 'S2pqs9Y6rc', 'ysJqYpXFU3', 'n9AqBLPmpN', 'isoq1NWyL6', 'AIJqjUBVUS', 'MhQqG25BBH', 'mWuqyDR912', 'CrdqQaNO6Q', 'OSLqNTcbKu', 'qvLqwi0W32'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, jHGFeomCxQWPJ8T99Yt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ser8UXtkPA', 'mAY8ieeN0o', 'Xd38Z3FFOg', 'd3G887OPJe', 'KPP8hKGoQJ', 'c4n80Wu3A2', 'Ol98DfflVN'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, qoISy3O3y1fmTU4uUb.cs	High entropy of concatenated method names: 'd0hKfUWQr3', 'wJ8KM8BZSk', 'eF9KTDIPiD', 'R96KFScDH9', 'l1QKef2qwu', 'qjXKrTJJme', 'JVXKPAYcKv', 'XguKueBCOe', 'EudK33r25X', 'SR3KAmyjq1'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, NC33vps37PRKumb6WG.cs	High entropy of concatenated method names: 'dO5ogxFJbk', 'wCGoSo3ViP', 'YqMos2STp7', 'Q88oYG1rCJ', 'wnYopfSv6c', 'eIwoxmSXlE', 'LkLoHwVUmY', 'bxuotJCvRk', 'Bsgoc8cjge', 'Le3oWse54f'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, giDPdkwbniocP5qfiG.cs	High entropy of concatenated method names: 'v7Vi5g9UQt', 'vfTiXb99OK', 'NZvibBcUf4', 'jBriKexCxl', 'n6kiU6qV9f', 'Wc9i6BkPYD', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, PidoDDqUDqWxXxx5PB.cs	High entropy of concatenated method names: 'Dispose', 'MtqmNlUGEy', 'NphapTLgBW', 'DYm0Tfo9uX', 'Q6emwUCR1k', 'eOemz6j3GH', 'ProcessDialogKey', 'iJLanTT9e5', 'Q1BamdKikT', 'sQYaaqiDPd'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, Lq1kpNmmQkyvFgE8dID.cs	High entropy of concatenated method names: 'g1PiwLUkgU', 'sPoizEdRUa', 'pOKZnYiKEs', 'AGxZm41Ucl', 'JMPZaMoGUD', 'g7nZE0hjOx', 'qcLZCAyfHS', 'i7EZ24cjrQ', 'CqnZ4NNYqd', 'ChsZqtSoFU'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, aOhgWcmndciGiypg5s2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qVoiI2ewNQ', 'SOTiSoSMdm', 's5LiJd5yn6', 'mRbisLqsIx', 'Q35iYAkRbq', 'DOjiBVIwVn', 'iERi1ExPeA'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, K93061JJd1VbooLmkd.cs	High entropy of concatenated method names: 'sCuRul3W2D', 'lccR3p91Gk', 'pHFRdvTPOm', 'iCqRpdYvfP', 'CDaRHpmMb8', 'qgwRtMZSvt', 'gRjRWf7JSH', 'xhSRkuGsMx', 'rrgRgSXWqB', 'n8URIcRCFZ'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, EfUtvJ13YEuCM8k0GW.cs	High entropy of concatenated method names: 'RRuLl7b829', 'CWILVrYmO5', 'ToString', 'HFWL477ofY', 'HG3LqhcIjU', 'UlEL5IwjHo', 'QQqLXPnMLd', 'MBQLb8dGhp', 'aAZLKV8kHd', 'cSiL6i9KMk'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, qTT9e5Ns1BdKikTiQY.cs	High entropy of concatenated method names: 'eyQUdVlWEG', 'iDhUpa5KFv', 'hgZUxCeBEg', 'KrlUHfanb2', 'PDsUtAgP0S', 'umgUcLYlgU', 'yjlUWLyZbH', 'QE1UkTu5ZK', 'wFVUOE9Clq', 'hEfUg9yFPU'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, ddSoI96RcnCUBdaTbJ.cs	High entropy of concatenated method names: 'XEcE2QuNpg', 'kIFE4SJ4Bi', 'LNJEqKJnht', 'ukEE5woaGL', 'qdZEX7wiAo', 'OABEb7GMyW', 'yGbEK6mr5B', 'WqFE6Qr3ee', 'RKmE7c2McU', 'LZiEl0OqGj'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, y9BhMB3RpgEOnf5r7h.cs	High entropy of concatenated method names: 'o0Z5FGeXan', 'hOb5rdIYCn', 'V345uHKepg', 'vgJ53nIh9b', 'Aho5o4yBBk', 'PmU5vWFHCw', 'OX75L3WVMM', 'XOy59F17ph', 'VBq5Ugo8rG', 'PgN5i7IPKt'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, hImcqSdwIUNV0IcXpy.cs	High entropy of concatenated method names: 'qM1b2sJC8x', 'GJqbqj0m7D', 'fODbXEKKbZ', 'nSsbKBUYtQ', 'IbAb6Bs7mF', 'z2LXjfppYp', 'DLxXGe3I1O', 'OxUXySQqP7', 'z7HXQOk4Ec', 'o7SXNJvPIs'
Source: 0.2.PO P24-1100.exe.3f4eb80.2.raw.unpack, k4P9W7GiW52QidbN6E.cs	High entropy of concatenated method names: 'IpILQ5NdoK', 'Rl7LwtT7BR', 'O0A9nKJJgb', 'LEJ9mK8eyc', 'RQ1LIygdRl', 'NsjLSmJHB4', 'KecLJP33hW', 'FEfLsa5MNY', 'p7ILYKLEM6', 'N3xLBMn5Vs'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO P24-1100.exe PID: 6768, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PO P24-1100.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\PO P24-1100.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Memory allocated: 2D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Memory allocated: 1030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Memory allocated: 7EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Memory allocated: 8EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Memory allocated: 90A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Memory allocated: A0A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Memory allocated: B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6627	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3106	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Window / User API: threadDelayed 2644	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Window / User API: threadDelayed 7204	Jump to behavior

Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4960	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 1460	Thread sleep count: 2644 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 1460	Thread sleep count: 7204 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -99872s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -99763s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -99617s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -99503s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -99248s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -99134s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -99030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -98922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -98812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -98594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -98484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -98375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -98265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -98156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -98047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -97719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -97594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -97484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -97375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -97265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -96718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -96047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -95828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -95719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -95594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -95484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -95375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -95266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -95156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -95047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -94938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -94813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -94688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -94578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe TID: 6532	Thread sleep time: -94469s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PO P24-1100.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\PO P24-1100.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO P24-1100.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 99872	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 99763	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 99617	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 99503	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 99248	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 99134	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 99030	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 98922	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 98812	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 98484	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 98375	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 98265	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 98156	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 98047	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 97719	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 97047	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 96718	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 96390	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 96047	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 95828	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 95719	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 95594	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 95375	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 95266	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 95156	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 95047	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 94938	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 94813	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 94688	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 94578	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Thread delayed: delay time: 94469	Jump to behavior

Source: PO P24-1100.exe, 00000000.00000002.1725328271.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: PO P24-1100.exe, 00000000.00000002.1725328271.0000000000EA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8G
Source: PO P24-1100.exe, 00000003.00000002.2950207081.0000000005D60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO P24-1100.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO P24-1100.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO P24-1100.exe"
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO P24-1100.exe"			Jump to behavior

Source: C:\Users\user\Desktop\PO P24-1100.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO P24-1100.exe"			Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Process created: C:\Users\user\Desktop\PO P24-1100.exe "C:\Users\user\Desktop\PO P24-1100.exe"			Jump to behavior

Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Users\user\Desktop\PO P24-1100.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Users\user\Desktop\PO P24-1100.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO P24-1100.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.2947100789.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO P24-1100.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.PO P24-1100.exe.3f0a580.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO P24-1100.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO P24-1100.exe.3ee1560.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO P24-1100.exe.3f0a580.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO P24-1100.exe.3ee1560.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2944805908.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1732307986.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\PO P24-1100.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\PO P24-1100.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\PO P24-1100.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PO P24-1100.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\PO P24-1100.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000003.00000002.2947100789.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO P24-1100.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.2947100789.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO P24-1100.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.PO P24-1100.exe.3f0a580.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO P24-1100.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO P24-1100.exe.3ee1560.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO P24-1100.exe.3f0a580.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO P24-1100.exe.3ee1560.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2944805908.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1732307986.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
PO P24-1100.exe	34%	ReversingLabs
PO P24-1100.exe	100%	Avira	HEUR/AGEN.1305393
PO P24-1100.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.mbarieservicesltd.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO P24-1100.exe, 00000000.00000002.1731687325.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	PO P24-1100.exe, 00000000.00000002.1737153746.00000000071B2000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559494
Start date and time:	2024-11-20 15:55:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO P24-1100.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/6@4/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 73 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PO P24-1100.exe

Simulations

Behavior and APIs

Time	Type	Description
09:56:03	API Interceptor	58x Sleep call for process: PO P24-1100.exe modified
09:56:05	API Interceptor	20x Sleep call for process: powershell.exe modified

Process:	C:\Users\user\Desktop\PO P24-1100.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.357042452875322
Encrypted:	false
SSDEEP:	24:3CytZWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:yyjWSU4y4RQmFoUeWmfmZ9tK8NDE
MD5:	475D428E7231D005EEA5DB556DBED03F
SHA1:	3D603ED4280E0017D1BEB124D68183F8283B5C22
SHA-256:	1314488A930843A7E1A003F2E7C1D883DB44ADEC26AC1CA096FE8DC1B4B180F5
SHA-512:	7181BDCE6DA8DA8AFD3A973BB2B0BA470468EFF32FFB338DB2662FEFA1A7848ACD87C319706B95401EA18DC873CA098DC722EA6F8B2FD04F1AABD2AEBEA97CF9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wmli3r0.p5s.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1u0lg1i.cy2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mw3sbiun.1pu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vabyxww4.fcn.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.970676437879018
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO P24-1100.exe
File size:	568'832 bytes
MD5:	d407b5bfa95d6549fceb3acd0a791c2b
SHA1:	f368052bae8505671cbdbab47acfe5994dc14417
SHA256:	11013cdd71339c3aac7041ef80912c8c03786f5967d58c539af0d560687089e8
SHA512:	bbf9d6687514842896fcdf6b29f12500c7b8c323e4f267ff3de3a328df4b4d2211cca320f653c4f01fcf3f766a0d3e9cd831a9de6691601e00a4cbe464a2075e
SSDEEP:	12288:nZQAgFdWlNesWPjcOfoahUHUMtK/Ib529tteCMXRaSykEHHPxjhWm:CAgyQPjcOfph0SELBaSyXPxUm
TLSH:	F3C422195A687759D0BE6B3EA5400E5D03F1B1267461E3C6CE88E2ECBF22B405A01FF7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............r.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x48c172
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x860193C9 [Sat Mar 30 09:58:33 2041 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8c11f	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x634	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x90000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8a8e0	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8a178	0x8a200	3a180f23f9f6f087ceedbe08f2140356	False	0.975751201923077	data	7.978390411078157	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8e000	0x634	0x800	3022543506350fa934ef99a8d5457f02	False	0.34033203125	data	3.478651345247546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x90000	0xc	0x200	5d4fdcc0798861b774b37db12b05ccce	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8e090	0x3a4	data			0.4206008583690987
RT_MANIFEST	0x8e444	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 15:56:07.663705111 CET	53644	53	192.168.2.4	1.1.1.1
Nov 20, 2024 15:56:08.658009052 CET	53644	53	192.168.2.4	1.1.1.1
Nov 20, 2024 15:56:09.657573938 CET	53644	53	192.168.2.4	1.1.1.1
Nov 20, 2024 15:56:11.673161030 CET	53644	53	192.168.2.4	1.1.1.1
Nov 20, 2024 15:56:13.931987047 CET	53	53644	1.1.1.1	192.168.2.4
Nov 20, 2024 15:56:13.932028055 CET	53	53644	1.1.1.1	192.168.2.4
Nov 20, 2024 15:56:13.932060957 CET	53	53644	1.1.1.1	192.168.2.4
Nov 20, 2024 15:56:13.932089090 CET	53	53644	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 15:56:07.663705111 CET	192.168.2.4	1.1.1.1	0x8483	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 15:56:08.658009052 CET	192.168.2.4	1.1.1.1	0x8483	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 15:56:09.657573938 CET	192.168.2.4	1.1.1.1	0x8483	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 15:56:11.673161030 CET	192.168.2.4	1.1.1.1	0x8483	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 15:56:13.931987047 CET	1.1.1.1	192.168.2.4	0x8483	Server failure (2)	mail.mbarieservicesltd.com	none	none	A (IP address)	IN (0x0001)	false
Nov 20, 2024 15:56:13.932028055 CET	1.1.1.1	192.168.2.4	0x8483	Server failure (2)	mail.mbarieservicesltd.com	none	none	A (IP address)	IN (0x0001)	false
Nov 20, 2024 15:56:13.932060957 CET	1.1.1.1	192.168.2.4	0x8483	Server failure (2)	mail.mbarieservicesltd.com	none	none	A (IP address)	IN (0x0001)	false
Nov 20, 2024 15:56:13.932089090 CET	1.1.1.1	192.168.2.4	0x8483	Server failure (2)	mail.mbarieservicesltd.com	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:56:02
Start date:	20/11/2024
Path:	C:\Users\user\Desktop\PO P24-1100.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO P24-1100.exe"
Imagebase:	0x800000
File size:	568'832 bytes
MD5 hash:	D407B5BFA95D6549FCEB3ACD0A791C2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1732307986.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:56:04
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO P24-1100.exe"
Imagebase:	0x540000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:56:04
Start date:	20/11/2024
Path:	C:\Users\user\Desktop\PO P24-1100.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO P24-1100.exe"
Imagebase:	0x4f0000
File size:	568'832 bytes
MD5 hash:	D407B5BFA95D6549FCEB3ACD0A791C2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.2944805908.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2947100789.0000000002971000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2947100789.0000000002971000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:56:05
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	94
Total number of Limit Nodes:	10

Executed Functions

Function 051EACB0 Relevance: 15.1, Strings: 10, Instructions: 2604COMMON

Download Yara Rule

Strings

4|cq, xrefs: 051EDAB3
4'^q, xrefs: 051EBB13
4'^q, xrefs: 051ED8C3
$^q, xrefs: 051ED970
4'^q, xrefs: 051EBC9B
4'^q, xrefs: 051ED94E
4|cq, xrefs: 051EDA98
4'^q, xrefs: 051ECB81
4'^q, xrefs: 051ED91E
(o^q, xrefs: 051EAD86

Memory Dump Source

Source File: 00000000.00000002.1735051996.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51e0000_PO P24-1100.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4|cq$4|cq$$^q
API String ID: 0-2723476363
Opcode ID: b3dd5c4e3b9c66fd82641561e1e3144899ade5b4b28d107990cc5670566daa87
Instruction ID: dbe99e0f0d57aefeec2069deb7c67fbbd1db03bc90a65abfdfe1e20263e62747
Opcode Fuzzy Hash: b3dd5c4e3b9c66fd82641561e1e3144899ade5b4b28d107990cc5670566daa87
Instruction Fuzzy Hash: F243D874A046198FCB24DF68C898A9DBBB2BF49314F1585D9E519AB361CB30EDC1CF90

Function 051E9DE8 Relevance: 7.0, Strings: 5, Instructions: 721COMMON

Download Yara Rule

Strings

(o^q, xrefs: 051EA671
(o^q, xrefs: 051EA67B
,bq, xrefs: 051EA40F
,bq, xrefs: 051EA3FF
Hbq, xrefs: 051EA6E8

Memory Dump Source

Source File: 00000000.00000002.1735051996.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51e0000_PO P24-1100.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-3486158592
Opcode ID: 38ef38ebcbc3e221491d645e233d4fad8bd9e4eb392b388d32777df23b1e2922
Instruction ID: 6e59d931903484b97a249ef54f699fa00062c906cfaf3b650c924a8c5500090d
Opcode Fuzzy Hash: 38ef38ebcbc3e221491d645e233d4fad8bd9e4eb392b388d32777df23b1e2922
Instruction Fuzzy Hash: 53525035B006159FCB18DF69C498A6EBBF2BF89711F158169E806DB3A1DB31EC41CB90

Function 0AA60448 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739718314.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa60000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4609822df91313c860fb51984d6fc0265e91f954612c010fdbbb847f55f29dd
Instruction ID: 2af043634e387a42a2c6caf4c56f1a77450125a2f7f72bf21ced7766c5786296
Opcode Fuzzy Hash: c4609822df91313c860fb51984d6fc0265e91f954612c010fdbbb847f55f29dd
Instruction Fuzzy Hash: 94329B71B012048FDB28DF69D550BAEBBF6AF89300F1484A9E546AB391CB35ED81CF51

Function 02BE7C08 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731582985.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2be0000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac868be219b0d6c16b32c780326cef36dd30f26fdf16906c0c8a5d9bd6298e5
Instruction ID: 79a2067a15172ed16e25c7b63b7e2e71b9527cd9ddf93b9d8119359449f7d6f6
Opcode Fuzzy Hash: 7ac868be219b0d6c16b32c780326cef36dd30f26fdf16906c0c8a5d9bd6298e5
Instruction Fuzzy Hash: 85524930A003558FCB14DF28C844B99B7F2EF89314F2586E9D5596F3A2DB71A986CF80

Function 02BEA0B1 Relevance: .6, Instructions: 577COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731582985.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2be0000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e9114523b995741595b00f3cbf325af866f10d29515b37346704d2aa8553d8
Instruction ID: 874b180bf8713d328af0e799e212fe2d06b3f35fefb0f2997d9365e9d591a06c
Opcode Fuzzy Hash: 59e9114523b995741595b00f3cbf325af866f10d29515b37346704d2aa8553d8
Instruction Fuzzy Hash: 82524930A007558FCB14DF28C844B99B7F2EF85314F2586E9D5596F3A2DB71AA86CF80

Function 00E4D3B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E4D43E
GetCurrentThread.KERNEL32 ref: 00E4D47B
GetCurrentProcess.KERNEL32 ref: 00E4D4B8
GetCurrentThreadId.KERNEL32 ref: 00E4D511

Strings

sLMs, xrefs: 00E4D3DC

Memory Dump Source

Source File: 00000000.00000002.1725221236.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_PO P24-1100.jbxd

Similarity

API ID: Current$ProcessThread
String ID: sLMs
API String ID: 2063062207-2912269572
Opcode ID: e23dbb8df445e5fe09e7214c9e429e8b7ad0a46bd2f485789c178abe51de8ef5
Instruction ID: 07555377eb73baec369995d6e523179035bfdcbb17d81c34fdccbb3252ce1826
Opcode Fuzzy Hash: e23dbb8df445e5fe09e7214c9e429e8b7ad0a46bd2f485789c178abe51de8ef5
Instruction Fuzzy Hash: E05167B0D007498FDB14DFAAD988B9EBBF1EF88314F208459E019B7390DB746944CB65

Function 00E4D3C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E4D43E
GetCurrentThread.KERNEL32 ref: 00E4D47B
GetCurrentProcess.KERNEL32 ref: 00E4D4B8
GetCurrentThreadId.KERNEL32 ref: 00E4D511

Strings

sLMs, xrefs: 00E4D3DC

Memory Dump Source

Source File: 00000000.00000002.1725221236.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_PO P24-1100.jbxd

Similarity

API ID: Current$ProcessThread
String ID: sLMs
API String ID: 2063062207-2912269572
Opcode ID: 67b85509b161c91ee54ef096ba06bc5d5ec8a34ba76f1046f2b498ad9883dc17
Instruction ID: 89eb86de9d043628a3b30fccb8beddb8c4e73528e82540569bbbdf4f86fdce94
Opcode Fuzzy Hash: 67b85509b161c91ee54ef096ba06bc5d5ec8a34ba76f1046f2b498ad9883dc17
Instruction Fuzzy Hash: 785164B0D007498FDB14DFAAD988B9EBBF1EF88314F208459E019B7390DB746984CB65

Function 02BE1CE4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02BE1E02

Strings

sLMs, xrefs: 02BE1D3E
sLMs, xrefs: 02BE1D1E

Memory Dump Source

Source File: 00000000.00000002.1731582985.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2be0000_PO P24-1100.jbxd

Similarity

API ID: CreateWindow
String ID: sLMs$sLMs
API String ID: 716092398-1106228246
Opcode ID: 61a8c46932ae566b81456015fa4397cf40ed8a6ede462f3e41d8d8b72e9c2684
Instruction ID: 59beaac77744d930e9f315ffa49b844591f716d17e0f51cb452e4e5987b96aab
Opcode Fuzzy Hash: 61a8c46932ae566b81456015fa4397cf40ed8a6ede462f3e41d8d8b72e9c2684
Instruction Fuzzy Hash: F051D1B1D103099FDF14CFA9C984ADEBBB5FF48714F24816AE819AB210D7719845CF90

Function 02BE1CF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02BE1E02

Strings

sLMs, xrefs: 02BE1D3E
sLMs, xrefs: 02BE1D1E

Memory Dump Source

Source File: 00000000.00000002.1731582985.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2be0000_PO P24-1100.jbxd

Similarity

API ID: CreateWindow
String ID: sLMs$sLMs
API String ID: 716092398-1106228246
Opcode ID: 4c4df94081603a94330b2dc8fd7c43b1fa58b6f70fe7fe48c85d286a1d891f0f
Instruction ID: 773fdd3eca40ce7f0438ac8963b65446171b8f917bf46a581e2aac5901f8b130
Opcode Fuzzy Hash: 4c4df94081603a94330b2dc8fd7c43b1fa58b6f70fe7fe48c85d286a1d891f0f
Instruction Fuzzy Hash: F341C0B1D103099FDF14CF9AC884ADEBBB5FF48310F24816AE819AB210D7B0A845CF90

Function 00E4B130 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E4B386

Strings

sLMs, xrefs: 00E4B33F

Memory Dump Source

Source File: 00000000.00000002.1725221236.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_PO P24-1100.jbxd

Similarity

API ID: HandleModule
String ID: sLMs
API String ID: 4139908857-2912269572
Opcode ID: 378121c51b8e177bb14d3d9e4092f82e20d5783a1bcdb9c2d71916f67c1b0154
Instruction ID: 3f2863fd7cb3cc01f9f44f8b9f10cee7f027263e3f47f815602438280dc46875
Opcode Fuzzy Hash: 378121c51b8e177bb14d3d9e4092f82e20d5783a1bcdb9c2d71916f67c1b0154
Instruction Fuzzy Hash: E7714170A00B048FD724DF2AE45575ABBF2FF88304F108A2DE48AE7A50DB74E845CB91

Function 00E4590D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E459C9

Strings

sLMs, xrefs: 00E4594C

Memory Dump Source

Source File: 00000000.00000002.1725221236.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_PO P24-1100.jbxd

Similarity

API ID: Create
String ID: sLMs
API String ID: 2289755597-2912269572
Opcode ID: 76ed401164c6ddd34488afcd360a127b18303589d451e8816fe669d11cf295a4
Instruction ID: c29b5bba00fdf93fab087eb3f395d2cc515b61ad2f64d96941f0664c5e0e05b1
Opcode Fuzzy Hash: 76ed401164c6ddd34488afcd360a127b18303589d451e8816fe669d11cf295a4
Instruction Fuzzy Hash: 8441E2B1C00719CBDB24CFAAC884BDEBBF5BF49304F20816AD509AB251DB756946CF50

Function 02BE0BE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02BE4381

Strings

sLMs, xrefs: 02BE42D7

Memory Dump Source

Source File: 00000000.00000002.1731582985.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2be0000_PO P24-1100.jbxd

Similarity

API ID: CallProcWindow
String ID: sLMs
API String ID: 2714655100-2912269572
Opcode ID: 032be4ce711846939dcbd1fffbe000e5094397f18e299116c0d4101a185ae63d
Instruction ID: 6a41e7b66c02963edf7368282c56efef8aa011c4209d18b343e7ca5fd1259035
Opcode Fuzzy Hash: 032be4ce711846939dcbd1fffbe000e5094397f18e299116c0d4101a185ae63d
Instruction Fuzzy Hash: AC4119B5A007058FCB14DF99C488AABFBF5FB88314F24C499D51AAB361D774A845CFA0

Function 00E444C4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E459C9

Strings

sLMs, xrefs: 00E4594C

Memory Dump Source

Source File: 00000000.00000002.1725221236.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_PO P24-1100.jbxd

Similarity

API ID: Create
String ID: sLMs
API String ID: 2289755597-2912269572
Opcode ID: dd26a1bdc148ef07093ba06c4625ba5a14b6bb8dc6dceecbfd66c68ab0d1fe71
Instruction ID: 1ed57962cec1215ee8edbe8c6b6ba003cd5630ef9c78e3beb566a5e0eb008892
Opcode Fuzzy Hash: dd26a1bdc148ef07093ba06c4625ba5a14b6bb8dc6dceecbfd66c68ab0d1fe71
Instruction Fuzzy Hash: 1041D1B1C0071DCBDB24DFAAC884B9EBBB5BF89304F20816AD509AB251DB716945CF90

Function 00E4D600 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E4D68F

Strings

sLMs, xrefs: 00E4D627

Memory Dump Source

Source File: 00000000.00000002.1725221236.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_PO P24-1100.jbxd

Similarity

API ID: DuplicateHandle
String ID: sLMs
API String ID: 3793708945-2912269572
Opcode ID: ea3e5b1e79d4061e48d6e89050c41bf79f2430002612de8635b3255618909781
Instruction ID: 6ab1f9ce572468545f4b915153afef58f1f04e04ca4f4707c1247d6425980319
Opcode Fuzzy Hash: ea3e5b1e79d4061e48d6e89050c41bf79f2430002612de8635b3255618909781
Instruction Fuzzy Hash: D721E4B5D003089FDB10CFAAD984ADEBBF5EB48320F24845AE958A7350D374A954CFA5

Function 00E4D608 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E4D68F

Strings

sLMs, xrefs: 00E4D627

Memory Dump Source

Source File: 00000000.00000002.1725221236.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_PO P24-1100.jbxd

Similarity

API ID: DuplicateHandle
String ID: sLMs
API String ID: 3793708945-2912269572
Opcode ID: 331676b5758e9961b4017af1a8e8ea121a04fac2b3900df87873ff675fc50e9f
Instruction ID: d6fe3b76e676bf7c11459985a813a277a65d00d6aa792592e64a8db7f6f4e1a1
Opcode Fuzzy Hash: 331676b5758e9961b4017af1a8e8ea121a04fac2b3900df87873ff675fc50e9f
Instruction Fuzzy Hash: 6821C4B59002489FDB10CF9AD984ADEBBF5EB48310F14845AE958A3350D374A954CFA5

Function 00E4B320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E4B386

Strings

sLMs, xrefs: 00E4B33F

Memory Dump Source

Source File: 00000000.00000002.1725221236.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_PO P24-1100.jbxd

Similarity

API ID: HandleModule
String ID: sLMs
API String ID: 4139908857-2912269572
Opcode ID: f9566b4e2b410583020cbf5c3c259814e201dffce01062d250e4edc422e0ec6e
Instruction ID: 753933a0fdb57a5b19be1c59c3f1401f0307d7d08e02a6496e38e3cc2737a743
Opcode Fuzzy Hash: f9566b4e2b410583020cbf5c3c259814e201dffce01062d250e4edc422e0ec6e
Instruction Fuzzy Hash: B7110FB5C003498FCB10DF9AD444A9EFBF4AB88324F10841AD419B7210C3B5A545CFA5

Function 00D9D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724285441.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d9d000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812bd1bef40f64f5f3c74eba3676941ed70ca8d423089305aca1ffca4596aa38
Instruction ID: b843167c5f5f11f4199dabaafb12d3fe77e27d2d595e8180ef573294e11d0c6b
Opcode Fuzzy Hash: 812bd1bef40f64f5f3c74eba3676941ed70ca8d423089305aca1ffca4596aa38
Instruction Fuzzy Hash: 2F2128B1604204DFDF05DF14D9C4B26BF66FB94324F24C569D90A0B256C336E856C7B2

Function 00DBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724446229.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b81fc254ba3fdb61b1e15c5f56f371f5262ea6d23128eaad51b58d06b2be15
Instruction ID: 9634fcf8cc78a4a23a1b474732f05d8f42eba689f6d3414b584f9797c2c1513e
Opcode Fuzzy Hash: f6b81fc254ba3fdb61b1e15c5f56f371f5262ea6d23128eaad51b58d06b2be15
Instruction Fuzzy Hash: 3421D075604200DFCB14EF14D984B66BBA6EB98324F24C969E84B4B286D33AD807CA71

Function 00DBD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724446229.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea652dce3d0f8d39bad7914e9eb1f84601b92d72c69f4229ecd92149906be56e
Instruction ID: 20f038c68a2f9e837af99ee14dee07af838fe7f837ef092484fe1629bd262700
Opcode Fuzzy Hash: ea652dce3d0f8d39bad7914e9eb1f84601b92d72c69f4229ecd92149906be56e
Instruction Fuzzy Hash: BD21F575604240EFDB05DF14D9C4B65BBA6FB94314F24C66DD84A4B291D336D806CB71

Function 00DBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724446229.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b8ddf1950b23968a07ecc9ee09f572311e7a4d4afe5e80d59e7ee057faa346
Instruction ID: ce77b4bfeb08fd071e50fec71c919ddf52053091b15db8417ccec8d8fbcc676d
Opcode Fuzzy Hash: b9b8ddf1950b23968a07ecc9ee09f572311e7a4d4afe5e80d59e7ee057faa346
Instruction Fuzzy Hash: D2218375509380CFCB02DF24D594715BF72EB46314F28C5DAD8498B2A7C33A980ACB62

Function 00D9D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724285441.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d9d000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 2a4dde1792de508f33389f6b447823d48e0e4a4f8a6ef4ecd8377cbe72c313da
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 7E11E676504240DFDF16CF14D5C4B16BF72FB94324F28C6A9D9090B656C33AE85ACBA1

Function 00DBD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724446229.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 28151a92702f8a2ed37929aad854130ee26e2f787fa1f6e5058b6f16c61c8a02
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 3811BB75904280DFCB02CF10C5C4B15BBB2FB84324F28C6ADD84A4B296C33AD80ACB61

Function 00D9D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724285441.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d9d000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15de185669dc273dabea69592eb2cef7021bfe7638b4340a72e5fc37cbfc57b7
Instruction ID: 2b35d22b84b11628a10f4dc4e1c56b2ba15e8501e2a293b96b6ce0dcbbf28c94
Opcode Fuzzy Hash: 15de185669dc273dabea69592eb2cef7021bfe7638b4340a72e5fc37cbfc57b7
Instruction Fuzzy Hash: 4001F7710043409AEB105AA5CCC4B26BFD9DF51321F2CC81AED4A0A286C7789C40C6B1

Function 00D9D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724285441.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d9d000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52eabadc3f10bf947aaa169e7eb5f149004e17d1dcf18aa1d283b7385a071e3d
Instruction ID: 532c6999d42f33d40166febd64d9daa67571650365cdfda3de4b1e0499a4ee5b
Opcode Fuzzy Hash: 52eabadc3f10bf947aaa169e7eb5f149004e17d1dcf18aa1d283b7385a071e3d
Instruction Fuzzy Hash: B3F06271404344AEEB208A56DC84B62FFE8EF51735F18C55AED494A296C379AC44CAB1

Function 0AA61F20 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739718314.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa60000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a705c668838cc64ef2510d8e18935be797f0de21faf00a11f954809ce477a4
Instruction ID: 89a5558c60436c6a95ee01216e5d294f909c8f2f3b64662548452856a7d86207
Opcode Fuzzy Hash: 81a705c668838cc64ef2510d8e18935be797f0de21faf00a11f954809ce477a4
Instruction Fuzzy Hash: A3F03076A40215DFC750DFADE9066DEBFF0BB48221F11856BD008E7611D7708A458FD1

Function 0AA61F30 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739718314.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa60000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e3ea1bd305918093441942a0a5805ef30e32ed2beed9dae9ae4108f51ba643
Instruction ID: 9f60be693a189524897488f586ad59e519cecb0b405f5050b72c6616ab69c474
Opcode Fuzzy Hash: 08e3ea1bd305918093441942a0a5805ef30e32ed2beed9dae9ae4108f51ba643
Instruction Fuzzy Hash: 77E092B0D4421AEFD740EFA9C945A9EBFF0BB08600F5185AAD019E7261E7B49A048F91

Non-executed Functions

Function 0AA61AF8 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0AA61CE3
PH^q, xrefs: 0AA61DBB

Memory Dump Source

Source File: 00000000.00000002.1739718314.000000000AA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aa60000_PO P24-1100.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: d4baeb84b2da289ea75f60b6e6d5256024f092331be0081c0d6b981da6d89d81
Instruction ID: a53b6b65da471db788cda7f631863d020823c857e12140f601be1123577c5ea0
Opcode Fuzzy Hash: d4baeb84b2da289ea75f60b6e6d5256024f092331be0081c0d6b981da6d89d81
Instruction Fuzzy Hash: 70D19374A00605CFDB54DF69C598AE9BBF1AF48701F2681A9E505EB3A1DB31AD40CF60

Function 02BE0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731582985.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2be0000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b39ec5d5bd8d2a384ef7ce0d99a59d3a674e8a435165e6a6ee9ae27f0b67d41
Instruction ID: ed3b4c9305b76e6772d06924ba8bc7bdb76651bbf5f294affd500b0eef10f467
Opcode Fuzzy Hash: 1b39ec5d5bd8d2a384ef7ce0d99a59d3a674e8a435165e6a6ee9ae27f0b67d41
Instruction Fuzzy Hash: 001273B040274A8EE730EF65EC4C1897AB1BB45319B505309DEE52B2E9D7BE114BCF64

Function 00E4DF64 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725221236.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bc4af423be94f41cae4173c13363653542a1ed838e4707cb28d2a4fe330f2e
Instruction ID: fadb122333e625c8e8ce1723057961271381be2b76837471eed710929fdda627
Opcode Fuzzy Hash: d5bc4af423be94f41cae4173c13363653542a1ed838e4707cb28d2a4fe330f2e
Instruction Fuzzy Hash: B5A17B32E002098FCF15DFB4E84459EBBF2FF84704B15956AE806BB265DB75E915CB80

Function 02BE001B Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731582985.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2be0000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddb7f541721591302ab7b0fda8bb337adbd107a899ee276297d27b973645940
Instruction ID: 9536c942fc5ca23928acf7d1288f73d06b2ba9ac9360807068a97fa1a7914950
Opcode Fuzzy Hash: 1ddb7f541721591302ab7b0fda8bb337adbd107a899ee276297d27b973645940
Instruction Fuzzy Hash: 2DC104B080274A8FD730EF65EC481897BB1BB85324B615309DDA16B2E9DBBE104BCF54

Function 051E646C Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735051996.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51e0000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228aafff6e541b3e64f4e46d4a755331b26d296f1bee9c6030ee594685878cf3
Instruction ID: ece4737a0aa904fa381713ea9bfb39c94aa00fd0e4edb66f2ce9406632c931d0
Opcode Fuzzy Hash: 228aafff6e541b3e64f4e46d4a755331b26d296f1bee9c6030ee594685878cf3
Instruction Fuzzy Hash: 3851D9B0E01609AFDB04DFADC984AAEBBF2FF88310F14C565E418E7355D734AA818B54

Function 051E8B5A Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735051996.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51e0000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3929dd2bc6ce3063615290f8d6b367c27ed8ce444c9cae80575312cee2438e27
Instruction ID: 917350372bc1a648aae99eb1a6ad3b60481ccec12ccb7552f4dbb9c7ea0dca32
Opcode Fuzzy Hash: 3929dd2bc6ce3063615290f8d6b367c27ed8ce444c9cae80575312cee2438e27
Instruction Fuzzy Hash: 1F51C8B4E006099FDB04DFA9C984AEEBBF2BF88310F18C565E418E7355D734AA91CB54

Function 051E1951 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000044), ref: 051E19AE
GetSystemMetrics.USER32(00000045), ref: 051E19E8

Strings

sLMs, xrefs: 051E1977

Memory Dump Source

Source File: 00000000.00000002.1735051996.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51e0000_PO P24-1100.jbxd

Similarity

API ID: MetricsSystem
String ID: sLMs
API String ID: 4116985748-2912269572
Opcode ID: 8adeea377b00cc2ef9c61db42792bb5b73a86d6b709b0951e43ee9cb15507ccd
Instruction ID: 38765cff16bf843759a78d56cc86fadbe258621032c2e27c4c9e875b12a657bd
Opcode Fuzzy Hash: 8adeea377b00cc2ef9c61db42792bb5b73a86d6b709b0951e43ee9cb15507ccd
Instruction Fuzzy Hash: 1C2154B18007498FDB20DF9AC44ABAEBFF4FB08315F248459D55AA7390C778A584CFA5

Analysis Process: PO P24-1100.exePID: 2596, Parent PID: 6768COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	0

Executed Functions

Function 062871D0 Relevance: 6.9, Strings: 5, Instructions: 608
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 062879D0
$^q, xrefs: 062879F9
$^q, xrefs: 06287A1B
$^q, xrefs: 06287A05
$^q, xrefs: 062879DC

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q
API String ID: 0-358201761
Opcode ID: 296cdb7bcb188571f942e4f68b5f26f6960d1e0a73c03d1af0d8671ff55a1f30
Instruction ID: e47d450c44d8f86949f94d4a5501761759bc82f4e6ba5851c145416bd5a80de2
Opcode Fuzzy Hash: 296cdb7bcb188571f942e4f68b5f26f6960d1e0a73c03d1af0d8671ff55a1f30
Instruction Fuzzy Hash: 72424031E1071A9FCB54EF78C85469DB7F2AFC9300F6086AAD409AB255EF709D85CB81

Function 0628C220 Relevance: 6.8, Strings: 5, Instructions: 515
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c<, xrefs: 0628C78A
$^q, xrefs: 0628C5A6
Uc<, xrefs: 0628C7F9
c<, xrefs: 0628C732
$^q, xrefs: 0628C59A

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: Uc<$$^q$$^q$c<$c<
API String ID: 0-1836474973
Opcode ID: 0580b65b3e5d9e217d6490ff8a47fec1c24499d2c88203587cb52735e0e5e1ea
Instruction ID: f8c2a38e6f6098203091fad87a4cbbd579120e6ba78258299ba0ab144fc16d15
Opcode Fuzzy Hash: 0580b65b3e5d9e217d6490ff8a47fec1c24499d2c88203587cb52735e0e5e1ea
Instruction Fuzzy Hash: 4502B230B112169FDB54EB78D8506AEB7E2AF84314F148969E809EB3C5EB34DC82C795

Function 06280040 Relevance: 3.0, Instructions: 3001COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d5d1ca55377edceba69e849222cbaa7ee4ff4755b2cb7ee4deffa708bac8d9
Instruction ID: 2106a22e7244c13dca5612b3bebd1370deb759039ffccba3c3bb4503a84dc275
Opcode Fuzzy Hash: e1d5d1ca55377edceba69e849222cbaa7ee4ff4755b2cb7ee4deffa708bac8d9
Instruction Fuzzy Hash: 54631B31D20B1A8ECB51EF68C880599F7B1FF99300F55C79AE45877221EB70AAD5CB81

Function 06289C23 Relevance: 2.9, Strings: 2, Instructions: 429
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06289ED2
\Ocq, xrefs: 06289D66

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: XPcq$\Ocq
API String ID: 0-2802517751
Opcode ID: ec76412550ee18111a29fc69ac4fa120fafcc34ae05459cd5f36ce30f78e23e0
Instruction ID: bfa2a8cadd7ff8fbbbc8ddc5c272e062026c990e6dee877adc04be23f219c7ba
Opcode Fuzzy Hash: ec76412550ee18111a29fc69ac4fa120fafcc34ae05459cd5f36ce30f78e23e0
Instruction Fuzzy Hash: 37E1F631F211158FDB54AB6CD890BAEBBF5EB89310F11846AE846DB3D2CA31DC81C791

Function 06280028 Relevance: 1.8, Instructions: 1754COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15f002b15705223d8269213936dbb551a916af9e0d4362a4ea126679109676d
Instruction ID: b827be59201e0a5fbebe73f60e57d4af4fbb07857919a4692bd4277a8d82aeb0
Opcode Fuzzy Hash: e15f002b15705223d8269213936dbb551a916af9e0d4362a4ea126679109676d
Instruction Fuzzy Hash: D113D531C10B1A8ECB51EF68C8805A9F7B1FF99300F55D79AE45877221EB70AAD5CB81

Function 0628A8F8 Relevance: .9, Instructions: 870COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b2d3827af1dd9cbb44ded89faa23b54d62e1675a491dc8bd4f97abaf491d3f
Instruction ID: 9bc9ef49a0ee4029e2e95ad085b85a3fe245d1d9b2057441fafbfb6abba89d4b
Opcode Fuzzy Hash: 44b2d3827af1dd9cbb44ded89faa23b54d62e1675a491dc8bd4f97abaf491d3f
Instruction Fuzzy Hash: 1162C130B212059FDB54EB68D9906ADB7F2EF84311F54856AE80AEB391DF35DC42CB81

Function 062894A0 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c375b03c94116f365a8868c23156ab383d68a45d1e9f74b77e51138f62008962
Instruction ID: f20fbe8036c0b95dde7f6c62b89c3a9155f5920260be9580bee8e7f91897526f
Opcode Fuzzy Hash: c375b03c94116f365a8868c23156ab383d68a45d1e9f74b77e51138f62008962
Instruction Fuzzy Hash: ED81E471E262168FDF709F6DC88077EFBA1EB46321F148866E969DB2C1C634D881C791

Function 0628D720 Relevance: 11.5, Strings: 9, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

uc<, xrefs: 0628DA08
$^q, xrefs: 0628D7D7
kc<, xrefs: 0628D7F7
$^q, xrefs: 0628D7C1
c<, xrefs: 0628D94A
$c<, xrefs: 0628D807
$^q, xrefs: 0628D83A
$^q, xrefs: 0628D82E
}c<, xrefs: 0628D789

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: $c<$kc<$uc<$}c<$$^q$$^q$$^q$$^q$c<
API String ID: 0-206387987
Opcode ID: af577994ee685f2b592e5982ebbfdd1e8cd7d1ce550b8d3858f71081ff4e4a6a
Instruction ID: b781d67283ebde115adff647666967aa0b266fc85fd9f104b46f5e342a3053f7
Opcode Fuzzy Hash: af577994ee685f2b592e5982ebbfdd1e8cd7d1ce550b8d3858f71081ff4e4a6a
Instruction Fuzzy Hash: 0EC12C30E112199FDB64DF65D8507DEB7F2AF89300F5085AAD809AB384DA309E81CF95

Function 0628F5A8 Relevance: 10.4, Strings: 8, Instructions: 411
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0628F78F
$^q, xrefs: 0628F76C
$^q, xrefs: 0628F79B
$^q, xrefs: 0628F760
$^q, xrefs: 0628F6D9
$^q, xrefs: 0628F72B
$^q, xrefs: 0628F737
$^q, xrefs: 0628F6E5

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: e0a2b437bf950e5495bb1045555be1e8b381c86a44d1eab23995c25c64c90cb5
Instruction ID: e4bdf94d2ada60aa364ee6e70be99ef56b2a0dbb9cb3e08e8fd52cebf24b4897
Opcode Fuzzy Hash: e0a2b437bf950e5495bb1045555be1e8b381c86a44d1eab23995c25c64c90cb5
Instruction Fuzzy Hash: A2E17330E2121A8FDB54EF68D9506AEB7F2EF85340F608569E819AB385DF70D841CB81

Function 0628D70F Relevance: 9.0, Strings: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

uc<, xrefs: 0628DA08
kc<, xrefs: 0628D7F7
$^q, xrefs: 0628D7C1
c<, xrefs: 0628D94A
$c<, xrefs: 0628D807
$^q, xrefs: 0628D82E
}c<, xrefs: 0628D789

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: $c<$kc<$uc<$}c<$$^q$$^q$c<
API String ID: 0-2146872185
Opcode ID: 3bae80bebac3589e395681fa438e7770de26843b34d211ef18079d4c6fcc4126
Instruction ID: ec3ce6afe9fe059e2c6f08ca600a2cad92922d7e4e0d16e49b971845579201f6
Opcode Fuzzy Hash: 3bae80bebac3589e395681fa438e7770de26843b34d211ef18079d4c6fcc4126
Instruction Fuzzy Hash: 87A13A30E012199FDB64EF64D8507EDB7F2AF89300F5085EA9809AB394DA309E81CF95

Function 06288A60 Relevance: 3.9, Strings: 3, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06288B94
\Ocq, xrefs: 06288C23
fcq, xrefs: 06288A9B

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 68754ba2702048d8ed3a6fc7703242ac473a84c6fd5df33095d34b3d0684a548
Instruction ID: d0d854eae1073d69b1233bb3a763ced31865bc233288677d101529abb76a6b37
Opcode Fuzzy Hash: 68754ba2702048d8ed3a6fc7703242ac473a84c6fd5df33095d34b3d0684a548
Instruction Fuzzy Hash: E5519370F112099FEB55ABB888147AEBAE7EF88300F108429E546EB3D5DF748D41CB95

Function 062896A8 Relevance: 1.7, Strings: 1, Instructions: 448COMMON

Download Yara Rule

Strings

$, xrefs: 062898DF

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 07be07fb04487c59334c8c0f74e02ed82bc779aafa5e3d964ec86f4e16b6aa34
Instruction ID: a4c80e363c0c6cf76a1c3edd43f3f8f41e00084abec8435ea73329f047698f0b
Opcode Fuzzy Hash: 07be07fb04487c59334c8c0f74e02ed82bc779aafa5e3d964ec86f4e16b6aa34
Instruction Fuzzy Hash: BCF1E231F112159FDF54EFA8C8506EEB7F2AF89310F108469E809AB384DB319C86CB91

Function 00B1AE90 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B1AF1F

Memory Dump Source

Source File: 00000003.00000002.2945782612.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_PO P24-1100.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 385d5cba8b836216941269a43e57767d970b099c004d9dfa819dde207a014336
Instruction ID: e00bb43bf7d400861281421a3820c142a7b28573b5423de208deac7db0203266
Opcode Fuzzy Hash: 385d5cba8b836216941269a43e57767d970b099c004d9dfa819dde207a014336
Instruction Fuzzy Hash: 6221E4B5D012089FDB10CFA9D984ADEBBF5EB48310F54845AE918A3350D374A954CF65

Function 00B1AE98 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B1AF1F

Memory Dump Source

Source File: 00000003.00000002.2945782612.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_PO P24-1100.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 87c2ce0d6bc2c6b7fa3af380bde4b681cd834e3561f35dca571a50ef05c65a25
Instruction ID: 956dde22f9da38788d0354a60bc5c4bd28f6815113e3efb5f831f2e70d44aa39
Opcode Fuzzy Hash: 87c2ce0d6bc2c6b7fa3af380bde4b681cd834e3561f35dca571a50ef05c65a25
Instruction Fuzzy Hash: 7021E2B59013089FDB10CFAAD984ADEBFF8EB48320F14805AE918A3350D374A944CFA5

Function 06203F71 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 06203FDF

Memory Dump Source

Source File: 00000003.00000002.2950649323.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6200000_PO P24-1100.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 6b56d152616c4d17d3f64bddfe0b93bbac00536b087436a316a36ffbd4d22655
Instruction ID: a6ea8840e7cc60ffb36905c461ee365d8043f97833ad68fe85fb00ea72a0470f
Opcode Fuzzy Hash: 6b56d152616c4d17d3f64bddfe0b93bbac00536b087436a316a36ffbd4d22655
Instruction Fuzzy Hash: A01129B1C0025A9FCB10DF9AD445BDEFBF4EF48310F15816AD818A7241D778A944CFA1

Function 06203F78 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 06203FDF

Memory Dump Source

Source File: 00000003.00000002.2950649323.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6200000_PO P24-1100.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 7e24093454fb55170ea299c1392ae30a6e4b9f42e223c0356101bc45e051f8d1
Instruction ID: 6bba19762e9cdd99a82a5ace7c24ec7fcc1eba8b8dcaf53944cccf4c8b14d296
Opcode Fuzzy Hash: 7e24093454fb55170ea299c1392ae30a6e4b9f42e223c0356101bc45e051f8d1
Instruction Fuzzy Hash: 051126B1C0025A9FCB10DF9AC444BDEFBF4EF48320F15816AD818A7241D778A944CFA1

Function 06286185 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

PH^q, xrefs: 062862EA

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 96ee77c8c97b861462545b94aeb8b9860e85ea244ef56943c2ba09fb9bcb2f28
Instruction ID: 99c4c79a9cec5993360ecbd3dcebcd40898b5a792eb7d39d49f1f2aaf352c954
Opcode Fuzzy Hash: 96ee77c8c97b861462545b94aeb8b9860e85ea244ef56943c2ba09fb9bcb2f28
Instruction Fuzzy Hash: 62412230B112068FDB49AB7488246AF37E3AB89200F2045B9E406DB7D6EF38CC42C795

Function 06286198 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

PH^q, xrefs: 062862EA

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 86a69ff6eb25ba5573a68a844a823caf791ec7c2c7062d83032b03632ccd9f4a
Instruction ID: ca1d67eabfaf4438f27fe313bc4d50665d15d3b43093ec188253bd101450f2a3
Opcode Fuzzy Hash: 86a69ff6eb25ba5573a68a844a823caf791ec7c2c7062d83032b03632ccd9f4a
Instruction Fuzzy Hash: 2E31D230B112068FDB49AB78882476F76E7AF89200F2045A9E406DB3D5EE35CC42C795

Function 06288959 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06288965

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: 85c9689bd86289e32c3f9112c1ff2ead297581e414bd89bd10cc00ba9168d455
Instruction ID: 3151d52b24d34f8d59d675cc8e17e9714375230083b239bfd1c4ffac0e802a52
Opcode Fuzzy Hash: 85c9689bd86289e32c3f9112c1ff2ead297581e414bd89bd10cc00ba9168d455
Instruction Fuzzy Hash: F8F0DA30A21129DFDB14DF94E959BAEBB72FF88700F604119E502A73D4CBB41D41CB81

Function 06283200 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13169bd6aaf317ab9d7ced155bd9fb8bb8764bdb93fe9b6d81e1d6486b2ed75e
Instruction ID: f487958a7ae5b53f6c5a4690d7a71e394a97a483a1c6d8e4ea97d52179a1a6e9
Opcode Fuzzy Hash: 13169bd6aaf317ab9d7ced155bd9fb8bb8764bdb93fe9b6d81e1d6486b2ed75e
Instruction Fuzzy Hash: 39C10471B112129FDB54EBB8C880A6EB7A6FB88710F14856AD859CB385DB34DC42C7D1

Function 0628FDB5 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42478ef0e840cc958399964a4dbcd1af0ba17999191d06368219faba7dd8ecdb
Instruction ID: 2d146879a8da052ea30846180b534c58dae7127ffa16034bbca5dddf7a8a6007
Opcode Fuzzy Hash: 42478ef0e840cc958399964a4dbcd1af0ba17999191d06368219faba7dd8ecdb
Instruction Fuzzy Hash: 35A17270F2110A5FDF64EA6CC9907AEB7E6EB89340F608465E909E73D2DE24DC81C751

Function 06288169 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c332c5bf30e3fa0cceddff3a9803e93f3f20f20647fa9116af46a6e21e804e8
Instruction ID: 6cf9e61f1c24a66755059a2018221b0521f3850f566fd846273ffaf6ddb099bd
Opcode Fuzzy Hash: 1c332c5bf30e3fa0cceddff3a9803e93f3f20f20647fa9116af46a6e21e804e8
Instruction Fuzzy Hash: DF918F31F112065FDB54EBB8C8506AEB7E7AFC9300F508569D80AEB385EE74DC428B95

Function 0628A120 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8435f459f78368376975f4dc8498d45d29f02c7a30d1808b51a677b99122e2f2
Instruction ID: c581db62fe39cddeda57bc26babc524e01474c067b7c37ea0c1fcec334815f6b
Opcode Fuzzy Hash: 8435f459f78368376975f4dc8498d45d29f02c7a30d1808b51a677b99122e2f2
Instruction Fuzzy Hash: 5A710671F011214FCB51AA7DCC946AFEAD7AFC5210B154436E80EDB361DE65DD0283D2

Function 06288178 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ac7c4266264745fbdee1e8f00ee6a1f1618980580f985dbbda68ebcd825d21
Instruction ID: dbc3d164f81a2224d8b4e8b04f279afcd4f80e93e41c5dc77772ce8d42c660a1
Opcode Fuzzy Hash: 12ac7c4266264745fbdee1e8f00ee6a1f1618980580f985dbbda68ebcd825d21
Instruction Fuzzy Hash: 6F817F30F112065FDB54EBB8C8507AEB6E7AFC9300F508529D80AEB385EE74DC428B95

Function 062884C5 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de50679353e9394efa7a54573036c4e94109965ac77f8d46762b60bb8df75940
Instruction ID: 67f0a2e289d528ea442efa1b402d93e5977e09c89d488696d1d727466a91e99e
Opcode Fuzzy Hash: de50679353e9394efa7a54573036c4e94109965ac77f8d46762b60bb8df75940
Instruction Fuzzy Hash: 28914F34E1021A8FDF60DF68C890B99B7B1FF89300F208995D54DAB295EB74AA85CF51

Function 0628A788 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dafec8f7e848acffc05d3f7c21532d4097ddd9a2d26688b5687ab67a30d4a3e
Instruction ID: 3bec665f3664c1da8a7f411177a91507fd4092b0ae922925d46f2ac78a0ce96b
Opcode Fuzzy Hash: 2dafec8f7e848acffc05d3f7c21532d4097ddd9a2d26688b5687ab67a30d4a3e
Instruction Fuzzy Hash: E941D470D1A3999FCB02DFA8CC51ADEBFB4EF06200F14459BE444EB292D6349944CBA5

Function 06289330 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ea9c3419aac26772afa5a2808a4a9b872fae9130b128febc146902291882a1
Instruction ID: 08d80adc0dc7ce423266e7e8794be25d8c3e45cad4a85d79076c0955d5c7c6a4
Opcode Fuzzy Hash: a5ea9c3419aac26772afa5a2808a4a9b872fae9130b128febc146902291882a1
Instruction Fuzzy Hash: 29414E71E1060A8FDB60DE9DDC80ABEF7B2EB85310F104929E55AD7690D331A985CB90

Function 06286048 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fbf4f87a719c6e379586337f2f9b6871056abb1ebc8627c120d7d62d502631
Instruction ID: 79ad8b7a1c5a38c0cfc355b6f807b962a1c00c5f42e893aa169e97b896278ce5
Opcode Fuzzy Hash: b1fbf4f87a719c6e379586337f2f9b6871056abb1ebc8627c120d7d62d502631
Instruction Fuzzy Hash: D841C230E1521A9FCB45EF64D85469EB7F2BF89340F148519E806EB395EF71AC82CB90

Function 06286058 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185def5d97d1f8e7e9bed6616b5768d6e8f3c8b04a338c4d688b5993b2c807f1
Instruction ID: 1bf7ca04143495faa22246445d64f16aed2f930b2522fee6f04091c7ab943270
Opcode Fuzzy Hash: 185def5d97d1f8e7e9bed6616b5768d6e8f3c8b04a338c4d688b5993b2c807f1
Instruction Fuzzy Hash: 2A317E30E2021A9FCB55DFA5D85469EB7F2BF89344F108519E816EB385DF71AC42CB90

Function 06287D20 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d35d1ab7e58d72c7a1dbabb3c34fc630c02f20bd30cdb5f4057db64604664a2
Instruction ID: 096da7cb0fede932f2736570dd56cf872ef2b598cfe430214bb36920845d6ea1
Opcode Fuzzy Hash: 6d35d1ab7e58d72c7a1dbabb3c34fc630c02f20bd30cdb5f4057db64604664a2
Instruction Fuzzy Hash: D6318171F012159FDB50EFBC88406FDB6E29B48710F5485AAE919F7385EA20CD4187A9

Function 06287D10 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49d9eec405cd1a0d6899d1c69f80a9f51021ccd4dbf3cbf979815ca2cf6c58e
Instruction ID: 46f2293e38e70a9d9cf6eebc5a1b3d485a589b765ac62f013955def3e29b58dd
Opcode Fuzzy Hash: b49d9eec405cd1a0d6899d1c69f80a9f51021ccd4dbf3cbf979815ca2cf6c58e
Instruction Fuzzy Hash: E631E371F112115FCB50EFB888113FDB7F29F48210F5485AAE949F7381EA20CD418799

Function 062871C6 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf2b3df55e8f557e2f9dd3a3db3796190a120eb7ace31fea204ef9f6aa0e451
Instruction ID: 7a62cd6013703a1c9518730f6205f35339528f251c266b50e6e26d915e70e1c9
Opcode Fuzzy Hash: 9bf2b3df55e8f557e2f9dd3a3db3796190a120eb7ace31fea204ef9f6aa0e451
Instruction Fuzzy Hash: 7F21E130E112199FCF54EF64DC805DEBBF5EF89300F2048A9E84AE7246DA319945CF91

Function 06289F30 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656397ebbd1a5ea2fef809a490303751d2f1a20c8ec33e7ba30f00e31c1fe0f2
Instruction ID: 640e33addf0d04d3e54447f8a336d49b083fa5f072b857e925133359974d5dfe
Opcode Fuzzy Hash: 656397ebbd1a5ea2fef809a490303751d2f1a20c8ec33e7ba30f00e31c1fe0f2
Instruction Fuzzy Hash: 2B218E35B100149FCB44DF68C4889AEBBF6FF8D710B1180A9E946DB7A1CA72EC058B90

Function 00ABD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945483903.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_abd000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc891c5bcb535586bc50319bc839523fdb04b6c47d9eccef3faafd41beea4efc
Instruction ID: 4e9d845e790a1028d206ecf684c8c522ecec3caa60924bbe1a677eed9fd5abc7
Opcode Fuzzy Hash: fc891c5bcb535586bc50319bc839523fdb04b6c47d9eccef3faafd41beea4efc
Instruction Fuzzy Hash: 9121D075604240EFCB14EF14D984B66BBA9FB98324F24C969D80B4B286D33AD807CA61

Function 06287E48 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9d05888fe0d51695ec0e75020cc6e42f50bed3687fe27f08bf905f8d389ddd
Instruction ID: 306c21fcd5d26c5d4895e7e9c14c8fc37f25a5862d350328be975ed668f07dbd
Opcode Fuzzy Hash: ca9d05888fe0d51695ec0e75020cc6e42f50bed3687fe27f08bf905f8d389ddd
Instruction Fuzzy Hash: B4110836F210152FDB55A5B85C102FF77DBCBC8251F644576E64AE3285ED218D0283E1

Function 06287E58 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5d26e5988cf6b18913af347c8c3afd0d9ed5c05d22d4d73e9507db1587715d
Instruction ID: db3257ee79c53b3b9fc65b4171e9ef10fdda1b507e19aabbc533071b4b0f4f6e
Opcode Fuzzy Hash: 7b5d26e5988cf6b18913af347c8c3afd0d9ed5c05d22d4d73e9507db1587715d
Instruction Fuzzy Hash: 2A110631F210156FDB54EA7888106BF72EBCBC8254B60457AE90AE7380EE31DC0287A1

Function 06289320 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb5698362ab0ffeed015d34ee4ebfd1b5d62fd05217a2f3b69b643bcf43ec13
Instruction ID: a6f3e51e7572af841ca6b6634a188e480735b241419e802762266e50081c2bd1
Opcode Fuzzy Hash: adb5698362ab0ffeed015d34ee4ebfd1b5d62fd05217a2f3b69b643bcf43ec13
Instruction Fuzzy Hash: 7411EE31A0074A9FCB20DFA9DCC18AFFFF6FF85200B104929E59993281C330A885CB90

Function 062880C7 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c72541ca8fe2f4badc1c93e561645eb8ab6010b48c4966e117bce6d36c4fc2d
Instruction ID: 8592bb18eda72b3c78b14c3971a2d0f550990cac3e6ec03becc8f40c8aad7063
Opcode Fuzzy Hash: 8c72541ca8fe2f4badc1c93e561645eb8ab6010b48c4966e117bce6d36c4fc2d
Instruction Fuzzy Hash: AB11F5307211521FDB91A67E9C5076BBBDACBCA650F14887AF44DCB382DE15CC428391

Function 0628EAF7 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11fb52d05c569b7bf1b1cb2ad20d43bb36dfd5fd4051942dae9bbc39a063ebc3
Instruction ID: 1e901640887205a9e60623ea84498adddf3232f13b87ced1e51819be844a663e
Opcode Fuzzy Hash: 11fb52d05c569b7bf1b1cb2ad20d43bb36dfd5fd4051942dae9bbc39a063ebc3
Instruction Fuzzy Hash: 0B11D231B222110FDF91A67898A576F2BD6EB8A314F414869F48BCB3C6ED15DC028395

Function 06287AE8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8b6da4563a41f22447035fa7a6d541d9051f722bf57e6d7023031aa4628969
Instruction ID: cddc1b7345ac8fbbf673cc13d27b973af8827050f4c79cc15de03f0facbcfe5e
Opcode Fuzzy Hash: 8a8b6da4563a41f22447035fa7a6d541d9051f722bf57e6d7023031aa4628969
Instruction Fuzzy Hash: 8721C2B5D11259AFCB00DF9AD885ACEFFB8FB48310F10812AE918A7341C374A954CBA5

Function 062837BC Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f2b7dc4152bbec4232ae62c7abd223582934fc3dd4a00036873451cb43cb98
Instruction ID: 7399047daa0b5536ed6d3f90c4e250c9aa6d186d3e9600659e3fbaaaaf917fe7
Opcode Fuzzy Hash: a4f2b7dc4152bbec4232ae62c7abd223582934fc3dd4a00036873451cb43cb98
Instruction Fuzzy Hash: FF21C2B5D11219AFCB00DF9AD884ADEFBB4FB48310F10812AE918B7341D374A954CBA5

Function 00ABD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945483903.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_abd000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: ef3bef8e2f3936d7a216663552acb5c14453bc11ea58b9775fe97e6041f74fe0
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 2E11BB75504280CFCB11DF14D5C4B15BBA2FB84324F28C6AAD80A4B696C33AD80ACBA2

Function 062880D8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4fcc51c1423bd9f2d04938f203cfe10bd639f479f4c57ea75a9b62e5318466
Instruction ID: bea88155404b8d42e1bab6af918cdbc991a7e5e34cb77ec6d4cf20300d9d2641
Opcode Fuzzy Hash: 4d4fcc51c1423bd9f2d04938f203cfe10bd639f479f4c57ea75a9b62e5318466
Instruction Fuzzy Hash: FD01D631B210121FDB64A66EAC5071BA7DADBC9760F548839F40EC7385DE65DC028385

Function 0628EB08 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3439dcfb327f6dd9bb0c637d0d23eb535723a01ae5ab7a0b4bc316bcef5d04c3
Instruction ID: ca86fa4e17a48863e4fde1d3371cfa791c989139f1cdbf3eef2fcb18bb6860aa
Opcode Fuzzy Hash: 3439dcfb327f6dd9bb0c637d0d23eb535723a01ae5ab7a0b4bc316bcef5d04c3
Instruction Fuzzy Hash: 2A01A230B212111FDB60A67D98A572E66D6EB8A754F508C29F54FC7385ED21DC028385

Function 00AAD628 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2945418187.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_aad000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086a7087d76b7f6f84ee1d673e87259b8b8355264a7025646e28c2ca0df3851b
Instruction ID: d33678b5a44d8ef3816b85cc7f8b0efb30864e1bfe705bd9765bed8fc8e789d7
Opcode Fuzzy Hash: 086a7087d76b7f6f84ee1d673e87259b8b8355264a7025646e28c2ca0df3851b
Instruction Fuzzy Hash: 59F0C2710043409AEB208B06DC88B66FFA8EB51334F18C45AED4D1B6C6C379A844CAB1

Function 0628A7D8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99eaf142ca84b44b7758b2b24655deb4517eb82ac2963be868c188314192dacd
Instruction ID: 3d067cabe5f452e13a373bebf372b6a39bccf880cb3ff6395ffb08953b09e73b
Opcode Fuzzy Hash: 99eaf142ca84b44b7758b2b24655deb4517eb82ac2963be868c188314192dacd
Instruction Fuzzy Hash: 4EE0C270E22149AFDF50EAB4CD0575E73BCD701208F2088A6DC08CF281E976CE41D380

Function 06285B90 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3536368fe46417f556c424d150c4c0772af8913a7b4ffcf963b19080fed9bba2
Instruction ID: 25c729b6d705871322c783ba1d36d30f9ca2f56c8ff56e8ac37574be8b830c62
Opcode Fuzzy Hash: 3536368fe46417f556c424d150c4c0772af8913a7b4ffcf963b19080fed9bba2
Instruction Fuzzy Hash: B4B0928E40A3E21FD243A2B48D262961AA00D5782038B02D38571C56E2DA4D448A8A26

Non-executed Functions

Function 0628B428 Relevance: 21.7, Strings: 17, Instructions: 435COMMON

Download Yara Rule

Strings

kc<, xrefs: 0628B712
$^q, xrefs: 0628B72A
.5vq, xrefs: 0628B47A
Vc<, xrefs: 0628B4EB
c<, xrefs: 0628B7A5
$^q, xrefs: 0628B8E7
$^q, xrefs: 0628B963
$^q, xrefs: 0628B736
uc<, xrefs: 0628B692
$^q, xrefs: 0628B957
xc<, xrefs: 0628B6AE
$c<, xrefs: 0628B7BC
(c<, xrefs: 0628B4BD
$^q, xrefs: 0628B6A6
6c<, xrefs: 0628B51A
Zc<, xrefs: 0628B648
Hc<, xrefs: 0628B493

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: c<$$c<$(c<$.5vq$6c<$Hc<$Vc<$Zc<$kc<$uc<$xc<$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1940057540
Opcode ID: 6e9d61812a2d218a175037ed273de2da343ec08de6ba23bb3f00c5636095c0ef
Instruction ID: 1f2e65a66fc28ea641c79f870b8cd5dd7d45aa8edcd80355aaaeace3a1a3e57a
Opcode Fuzzy Hash: 6e9d61812a2d218a175037ed273de2da343ec08de6ba23bb3f00c5636095c0ef
Instruction Fuzzy Hash: 67F16E30B113099FDB58EFB9C4546AEB7E2AF84301F60856DE41AAB395DF709C81CB91

Function 0628F1D8 Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

$^q, xrefs: 0628F347
$^q, xrefs: 0628F3B4
$^q, xrefs: 0628F378
$^q, xrefs: 0628F2E6
$^q, xrefs: 0628F36C
$^q, xrefs: 0628F33B
$^q, xrefs: 0628F2DA
$^q, xrefs: 0628F3A8

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: b65285b3f0530bdc2152f95f66efcc8fadbe32258cb84c9b9f4adf4acbc7c957
Instruction ID: 335afd78e4f6be63aca0426e03619ae9b15beb356a460d6d03211831ddfc02b6
Opcode Fuzzy Hash: b65285b3f0530bdc2152f95f66efcc8fadbe32258cb84c9b9f4adf4acbc7c957
Instruction Fuzzy Hash: A991A130E212099FDB64FF68DA557AE77F2AF84340F508429E815AB2D5DF748C81CB91

Function 0628B418 Relevance: 7.7, Strings: 6, Instructions: 182COMMON

Download Yara Rule

Strings

.5vq, xrefs: 0628B47A
(c<, xrefs: 0628B4BD
Vc<, xrefs: 0628B4EB
Zc<, xrefs: 0628B648
6c<, xrefs: 0628B51A
Hc<, xrefs: 0628B493

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: (c<$.5vq$6c<$Hc<$Vc<$Zc<
API String ID: 0-737864906
Opcode ID: 5cac1e45a2531cd5741181d19014c130eea5db600f9318af78c2c5ecd16bd34a
Instruction ID: 677d547b6a8392325286963a046a7990b7d0806a0abba8793ae05b605ea71b89
Opcode Fuzzy Hash: 5cac1e45a2531cd5741181d19014c130eea5db600f9318af78c2c5ecd16bd34a
Instruction Fuzzy Hash: D3718C30A113198FDB54EFA8C8557AEB7F2AF88301F60856DE409AB395DB709C81CB95

Function 0628E868 Relevance: 6.4, Strings: 5, Instructions: 200COMMON

Download Yara Rule

Strings

Cc<, xrefs: 0628E8FD
Jc<, xrefs: 0628E926
fc<, xrefs: 0628E932
lc<, xrefs: 0628E94B
Sc<, xrefs: 0628E8AB

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: Cc<$Jc<$Sc<$fc<$lc<
API String ID: 0-1955103774
Opcode ID: ee8e171c61d41db8d0fcaffeb37d1596a45be9e4c5259f9dcdd19082bcf87b3e
Instruction ID: 7707616347db0d7db90bacc083218793824b4184ead8f0d90bb197ca8999df7d
Opcode Fuzzy Hash: ee8e171c61d41db8d0fcaffeb37d1596a45be9e4c5259f9dcdd19082bcf87b3e
Instruction Fuzzy Hash: E551D431B111055FCB44EBB8D8506AEB2F7EBC9610F50856AE91AE7384EE70DC428B96

Function 0628DC58 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

c<, xrefs: 0628DF79
Uc<, xrefs: 0628DE1E
`c<, xrefs: 0628DED3
Ec<, xrefs: 0628DE39

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: c<$Ec<$Uc<$`c<
API String ID: 0-665649908
Opcode ID: c6625474b666b1e0e4b34634b87bf104022cf440256a02863c6332542bb5a277
Instruction ID: d3dccaba8f2f0bf08f2fec7469bb2bdc7b38e5eb02c1e5f814622995037e2d69
Opcode Fuzzy Hash: c6625474b666b1e0e4b34634b87bf104022cf440256a02863c6332542bb5a277
Instruction Fuzzy Hash: 51D1A030E202198FCBA4EF64CC846ADB7F2AF85304F518499D849AF394DB709D86CB81

Function 0628C8F0 Relevance: 5.3, Strings: 4, Instructions: 298COMMON

Download Yara Rule

Strings

$^q, xrefs: 0628CB6F
$^q, xrefs: 0628CBDA
$^q, xrefs: 0628CB7B
$^q, xrefs: 0628CBE6

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: af9c54b9eb35bb4414a64a33ba85b1da8e02c4c2051ea21c4913b7ab0482a722
Instruction ID: 1f2a331fcf3d2ddc4af79f5045c96d7a6f56e92a546847f1e28f3a7072af922f
Opcode Fuzzy Hash: af9c54b9eb35bb4414a64a33ba85b1da8e02c4c2051ea21c4913b7ab0482a722
Instruction Fuzzy Hash: 19B15030B112199FDB54EF78C8546AEB7E2AF84301F548969E406DB395DF70DC82CB90

Function 0628EBB8 Relevance: 5.2, Strings: 4, Instructions: 212COMMON

Download Yara Rule

Strings

ac<, xrefs: 0628EC99
Dc<, xrefs: 0628EC67
;c<, xrefs: 0628ED12
qc<, xrefs: 0628EC81

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: ;c<$Dc<$ac<$qc<
API String ID: 0-323276557
Opcode ID: f4083bf011e5eb57fd9edd11307bec6fec3e81e2d823cd3a25f6b5a64094325c
Instruction ID: 75b0a0e07d251fe216ab1a34558184300f75a41133a6f91be0e1133e094330d6
Opcode Fuzzy Hash: f4083bf011e5eb57fd9edd11307bec6fec3e81e2d823cd3a25f6b5a64094325c
Instruction Fuzzy Hash: 6A71AF31F112059FCB54EBA8D8805ADB7F6EF88310F508969E94AE7391EB319C45CB91

Function 0628CD38 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

$^q, xrefs: 0628CDD3
$^q, xrefs: 0628CDC7
LR^q, xrefs: 0628CE3E
LR^q, xrefs: 0628CEA4

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: d9f8d4991801af7f6d283fe04d5a866028f685ecee351c0ef3928d3a20a76dd1
Instruction ID: 49235c2290afa7ff6b177743fa0bac6e745cddb051bdeff9a343b60a85b0702f
Opcode Fuzzy Hash: d9f8d4991801af7f6d283fe04d5a866028f685ecee351c0ef3928d3a20a76dd1
Instruction Fuzzy Hash: 6F61D330B212059FDB58FB78C851A6EB6E2EF85700F5089A9F816AB395DF30DC41C7A5

Function 0628F59A Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

$^q, xrefs: 0628F78F
$^q, xrefs: 0628F760
$^q, xrefs: 0628F6D9
$^q, xrefs: 0628F72B

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 81c255c9de4ebcb67e42735f957b62f4255be658663cbb07a1215cee834f6af2
Instruction ID: e00e9ff07b7f4b6dcb0e3b178e1f339c01843525880a3dbba316e85aef62921a
Opcode Fuzzy Hash: 81c255c9de4ebcb67e42735f957b62f4255be658663cbb07a1215cee834f6af2
Instruction Fuzzy Hash: 4E519330F212069FDF55BB68D9506AD73F2EF84341F548969E815DB295EA30DC41CB41

Function 0628EBAA Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

ac<, xrefs: 0628EC99
Dc<, xrefs: 0628EC67
;c<, xrefs: 0628ED12
qc<, xrefs: 0628EC81

Memory Dump Source

Source File: 00000003.00000002.2950775817.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6280000_PO P24-1100.jbxd

Similarity

API ID:
String ID: ;c<$Dc<$ac<$qc<
API String ID: 0-323276557
Opcode ID: 2238ab83c4f0223ee74104ce27fb12d8f0cd6da878bc95bed0e05483d4bfcea9
Instruction ID: f0103e8d3f725c154b4844fc450b24d70ca43cde13960f95a1418f71834e2f01
Opcode Fuzzy Hash: 2238ab83c4f0223ee74104ce27fb12d8f0cd6da878bc95bed0e05483d4bfcea9
Instruction Fuzzy Hash: 8A41BF70B102059FCB54EFB8D8955AEBBF2EF88300B5049A9E44AE7395DE319C42CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO P24-1100.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO P24-1100.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wmli3r0.p5s.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1u0lg1i.cy2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mw3sbiun.1pu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vabyxww4.fcn.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

UDP Packets

Windows Analysis Report
PO P24-1100.exe

Function 00E4D3B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
threadCOMMON

Function 00E4D3C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Function 02BE1CE4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119
COMMON

Function 02BE1CF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Function 00E4B130 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197
COMMON

Function 00E4590D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
COMMON

Function 02BE0BE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Function 00E444C4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Function 00E4D600 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Function 00E4D608 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre