Edit tour

Windows Analysis Report
Telco 32pcs New Purchase Order.exe

Overview

General Information

Sample name:	Telco 32pcs New Purchase Order.exe
Analysis ID:	1519146
MD5:	8d310f2e831174aac8eaa5eba20e87ad
SHA1:	600ef55976b69523c7973c5d0aeeb91f3fdcf97e
SHA256:	457b6241f125cd8c4f030e7b7f05829b89a5e831f624225cb70ea272ecd88876
Tags:	AgentTeslaexeuser-cocaman
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Telco 32pcs New Purchase Order.exe (PID: 4136 cmdline: "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe" MD5: 8D310F2E831174AAC8EAA5EBA20E87AD)

powershell.exe (PID: 6836 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7348 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 1532 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Telco 32pcs New Purchase Order.exe (PID: 5040 cmdline: "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe" MD5: 8D310F2E831174AAC8EAA5EBA20E87AD)

Telco 32pcs New Purchase Order.exe (PID: 4508 cmdline: "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe" MD5: 8D310F2E831174AAC8EAA5EBA20E87AD)

zBzzGAdzqF.exe (PID: 2768 cmdline: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe MD5: 8D310F2E831174AAC8EAA5EBA20E87AD)

schtasks.exe (PID: 7444 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp5C8D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

zBzzGAdzqF.exe (PID: 7500 cmdline: "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe" MD5: 8D310F2E831174AAC8EAA5EBA20E87AD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.2689631627.0000000003141000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2689631627.0000000003141000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2689533130.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.2689631627.0000000003165000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2689533130.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2689533130.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4136	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4136	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4508	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: zBzzGAdzqF.exe PID: 2768	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: zBzzGAdzqF.exe PID: 7500	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: zBzzGAdzqF.exe PID: 7500	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31769:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31885:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31961:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a87:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.Telco 32pcs New Purchase Order.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Telco 32pcs New Purchase Order.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.Telco 32pcs New Purchase Order.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33569:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33685:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33761:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33887:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31769:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31885:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31961:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a87:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33569:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33685:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33761:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33887:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df17:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33569:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df89:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e013:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33685:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0a5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e10f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33761:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e181:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e217:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33887:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2a7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 12 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe, ParentProcessId: 4136, ParentProcessName: Telco 32pcs New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe", ProcessId: 6836, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp5C8D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp5C8D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe, ParentImage: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe, ParentProcessId: 2768, ParentProcessName: zBzzGAdzqF.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp5C8D.tmp", ProcessId: 7444, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe, Initiated: true, ProcessId: 4508, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49711

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe, ParentProcessId: 4136, ParentProcessName: Telco 32pcs New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp", ProcessId: 1532, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe, ParentProcessId: 4136, ParentProcessName: Telco 32pcs New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe", ProcessId: 6836, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe, ParentProcessId: 4136, ParentProcessName: Telco 32pcs New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp", ProcessId: 1532, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://mail.iaa-airferight.com

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe

ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: Telco 32pcs New Purchase Order.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Telco 32pcs New Purchase Order.exe

Joe Sandbox ML: detected

Source: Telco 32pcs New Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49712 version: TLS 1.2

Source: Telco 32pcs New Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: yuyGs.pdb source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr
Source:	Binary string: yuyGs.pdbSHA256m source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 4x nop then jmp 071DCB88h		0_2_071DD062
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 4x nop then jmp 073EBA20h		11_2_073EBEFA

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 46.175.148.58 46.175.148.58

Source: Joe Sandbox View

ASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.8:49711 -> 46.175.148.58:25

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.iaa-airferight.com

Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: zBzzGAdzqF.exe, 0000000F.00000002.2701127043.0000000006B52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mG
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.0000000003165000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.iaa-airferight.com
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1460082719.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000B.00000002.1511440653.0000000002ECC000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2685915143.0000000000434000.00000040.00000400.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	String found in binary or memory: https://static.wikia.nocookie.net/mitologa/images/a/a3/Imagen_por_defecto.png/revision/latest/thumbn

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49712 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, abAX9N.cs	.Net Code: BFeixnEv
Source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, abAX9N.cs	.Net Code: BFeixnEv

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.Telco 32pcs New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Telco 32pcs New Purchase Order.exe

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_011FD364	0_2_011FD364
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_050F9700	0_2_050F9700
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_050F001F	0_2_050F001F
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_050F0040	0_2_050F0040
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_050F96F2	0_2_050F96F2
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_056E950B	0_2_056E950B
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_056E9518	0_2_056E9518
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_056EF12B	0_2_056EF12B
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_056EF138	0_2_056EF138
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_056E1998	0_2_056E1998
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D0040	0_2_071D0040
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071DCAA8	0_2_071DCAA8
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D3619	0_2_071D3619
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D83B8	0_2_071D83B8
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D91A0	0_2_071D91A0
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D0006	0_2_071D0006
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D6D10	0_2_071D6D10
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D8C90	0_2_071D8C90
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D8C80	0_2_071D8C80
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D68B8	0_2_071D68B8
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 10_2_011CA968	10_2_011CA968
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 10_2_011C4A98	10_2_011C4A98
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 10_2_011C3E80	10_2_011C3E80
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 10_2_011C41C8	10_2_011C41C8
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 10_2_011CF8A5	10_2_011CF8A5
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_0148D364	11_2_0148D364
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E0040	11_2_073E0040
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073EB940	11_2_073EB940
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E3619	11_2_073E3619
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E83B8	11_2_073E83B8
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E8148	11_2_073E8148
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E91A0	11_2_073E91A0
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E001E	11_2_073E001E
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073EEF30	11_2_073EEF30
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E6D10	11_2_073E6D10
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E8C90	11_2_073E8C90
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E8C80	11_2_073E8C80
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E68A5	11_2_073E68A5
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_08C01998	11_2_08C01998
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_08C0F12B	11_2_08C0F12B
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_08C0F138	11_2_08C0F138
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_08C0950B	11_2_08C0950B
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_08C09518	11_2_08C09518
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_0179A968	15_2_0179A968
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_01794A98	15_2_01794A98
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_01793E80	15_2_01793E80
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_017941C8	15_2_017941C8
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_0179F8A5	15_2_0179F8A5
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_05D55D30	15_2_05D55D30
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_05D591F0	15_2_05D591F0
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_05D5A140	15_2_05D5A140
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_05D5E0C8	15_2_05D5E0C8
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_05D545A0	15_2_05D545A0
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_05D53578	15_2_05D53578
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_05D53CA0	15_2_05D53CA0
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_05D55650	15_2_05D55650
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_05D5C618	15_2_05D5C618
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_05D50338	15_2_05D50338

Source: Telco 32pcs New Purchase Order.exe

Static PE information: invalid certificate

Source: Telco 32pcs New Purchase Order.exe, 00000000.00000000.1434374405.0000000000772000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameyuyGs.exe: vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1483913264.0000000008D7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1482724477.00000000071E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1460082719.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1458787818.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2686390719.0000000000D59000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs Telco 32pcs New Purchase Order.exe
Source: Telco 32pcs New Purchase Order.exe	Binary or memory string: OriginalFilenameyuyGs.exe: vs Telco 32pcs New Purchase Order.exe

Source: Telco 32pcs New Purchase Order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.Telco 32pcs New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Telco 32pcs New Purchase Order.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: zBzzGAdzqF.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, RsYAkkzVoy.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, Kqqzixk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, xROdzGigX.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, ywes.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, iPVW0zV.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, 1Pi9sgbHwoV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, MarWtcu.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, qu4eVoHSPo9ejA6esY.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, qu4eVoHSPo9ejA6esY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, qu4eVoHSPo9ejA6esY.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, IPKqHFaHGVDOvQLAAk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, qu4eVoHSPo9ejA6esY.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, qu4eVoHSPo9ejA6esY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, qu4eVoHSPo9ejA6esY.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, IPKqHFaHGVDOvQLAAk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@2/2

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

File created: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4878.tmp

Jump to behavior

Source: Telco 32pcs New Purchase Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Telco 32pcs New Purchase Order.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Telco 32pcs New Purchase Order.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

File read: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp5C8D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process created: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe"
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp5C8D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process created: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Telco 32pcs New Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Telco 32pcs New Purchase Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Telco 32pcs New Purchase Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: yuyGs.pdb source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr
Source:	Binary string: yuyGs.pdbSHA256m source: Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: Telco 32pcs New Purchase Order.exe, Home.cs	.Net Code: InitializeComponent
Source: zBzzGAdzqF.exe.0.dr, Home.cs	.Net Code: InitializeComponent
Source: 0.2.Telco 32pcs New Purchase Order.exe.2bcdf8c.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Telco 32pcs New Purchase Order.exe.6da0000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Telco 32pcs New Purchase Order.exe.2b6dc80.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, qu4eVoHSPo9ejA6esY.cs	.Net Code: iIlL85sgd2 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, qu4eVoHSPo9ejA6esY.cs	.Net Code: iIlL85sgd2 System.Reflection.Assembly.Load(byte[])

Source: Telco 32pcs New Purchase Order.exe

Static PE information: 0xBA8721D6 [Sat Mar 2 02:49:58 2069 UTC]

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071DD732 pushfd ; ret	0_2_071DD764
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071DD788 pushfd ; ret	0_2_071DD7A4
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071DD7D6 pushfd ; ret	0_2_071DD7E4
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071DC471 pushfd ; ret	0_2_071DC472
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D24CC pushfd ; ret	0_2_071D24CD
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071DB3E9 pushfd ; ret	0_2_071DB3F1
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D5040 pushfd ; ret	0_2_071D5041
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D2E6E pushfd ; ret	0_2_071D2E6F
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D4D6F pushfd ; ret	0_2_071D4D8C
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D9CC3 pushfd ; ret	0_2_071D9CC4
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071D4A29 pushad ; retf	0_2_071D4A35
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 0_2_071DD891 pushfd ; ret	0_2_071DD8AC
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Code function: 10_2_011C0C45 push ebx; retf	10_2_011C0C52
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073EC620 pushfd ; ret	11_2_073EC63C
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073EC66E pushfd ; ret	11_2_073EC67C
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073EA518 pushfd ; ret	11_2_073EA534
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073EC5DA pushfd ; ret	11_2_073EC5FC
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073EA5C1 pushfd ; ret	11_2_073EA5C9
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E24CC pushfd ; ret	11_2_073E24CD
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073EB309 pushfd ; ret	11_2_073EB30A
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073EB2B3 pushfd ; ret	11_2_073EB2B4
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E5040 pushfd ; ret	11_2_073E5041
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E2E6E pushfd ; ret	11_2_073E2E6F
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E4D6F pushfd ; ret	11_2_073E4D8C
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E5DB2 pushfd ; ret	11_2_073E5DC6
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E9CC3 pushfd ; ret	11_2_073E9CC4
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 11_2_073E4A29 pushad ; retf	11_2_073E4A35
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_01790C45 push ebx; retf	15_2_01790C52
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Code function: 15_2_0179DCA0 push esp; iretd	15_2_0179DD29

Source: Telco 32pcs New Purchase Order.exe	Static PE information: section name: .text entropy: 7.800984886920725
Source: zBzzGAdzqF.exe.0.dr	Static PE information: section name: .text entropy: 7.800984886920725

Source: 0.2.Telco 32pcs New Purchase Order.exe.2bcdf8c.0.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Telco 32pcs New Purchase Order.exe.2bcdf8c.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Telco 32pcs New Purchase Order.exe.6da0000.5.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Telco 32pcs New Purchase Order.exe.6da0000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Telco 32pcs New Purchase Order.exe.2b6dc80.1.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Telco 32pcs New Purchase Order.exe.2b6dc80.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, wKEY3HJo8eDVRJWVro.cs	High entropy of concatenated method names: 'sqDQGHh96y', 'AgAQEv1riQ', 'Fg1QJJBr6R', 'I1wQSRnwnx', 'vIeQwNK6Rq', 'BGOQjZUIjV', 'wvgQ3QfWU5', 'VtPQ4RYbh2', 'lyLQyNGwsr', 'ajHQqn1Ng0'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, w3Un50OCHhr6XKPgVv.cs	High entropy of concatenated method names: 'RYCrUTgMSO', 'kQorbaib6b', 'IEdR5YSe1q', 'PFSRcXEnj1', 'uPqrdx7Xkp', 'Wi6rEyPbgM', 'VoLrZD6RB9', 'dD7rJGZpTT', 'LKmrSHsKFR', 'eJVrt2tHI4'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, pfqRELt3v9bOXMqgPx.cs	High entropy of concatenated method names: 'ToString', 'yvehdb2t9t', 'NQehwkDNPt', 'vNahjGrn0B', 'zDnh3DYCMD', 'weFh4Ejuli', 'vuohyoIpHQ', 'TcOhqv04Zo', 'tPNhYAfG6g', 'o2xhTYIURs'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, AwjlnHTFEX7SG8ODN5.cs	High entropy of concatenated method names: 'hy00FxSK3A', 'ALr0lyMuec', 'iLE08TC0iR', 'FT00oF8KFL', 'vlr02teTAH', 'HUy0VVi8jv', 'Wwo0uTJLZY', 'nJB0avBUnP', 'olQ0XjQ0TG', 'GyN0ABaMdL'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, fyDZ3Q6uBXD3CjoIfe.cs	High entropy of concatenated method names: 'Dispose', 'qAxcCZdVv3', 'XBWnwVY2lN', 'Pe9YYBBw6U', 'PRjcbfEKjm', 'pJPczup5ZA', 'ProcessDialogKey', 'FBnn5M11V2', 'K3CncqNxJ4', 'gslnnW9WDD'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, v04S8qXUOtWGnng4FZ.cs	High entropy of concatenated method names: 'cYavouRehn', 'ksNvVPg00u', 'HJWvalwSPx', 'nZSvXHQ0mo', 'cU7vQjopVc', 'SR9vhPYicQ', 'jUHvrRRrtD', 'RJivRYlFin', 'uZyvkvXhi0', 'zXNvMvuihd'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, NvUCdtLRiH35Z1HHQn.cs	High entropy of concatenated method names: 'K83c0PKqHF', 'kGVcHDOvQL', 'LUOcWtWGnn', 'm4FcgZ8MJp', 'iawcQx7K0I', 'wdachtbGSN', 'Ch8D1whNuPg31uyFJg', 'YroQCR9w2iwP4MyTq2', 'HSDccBA0NU', 'fpPcP1HwW2'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, zMJpQBApxlWy5eawx7.cs	High entropy of concatenated method names: 'kMlx2KBJ7U', 'N6sxulRfT7', 'BI0vjhtSKK', 'L1Mv3bOtIS', 'FYkv4oD6xq', 'bSovyLeSu7', 'nc6vqhWF65', 'CuAvYJelIn', 'CF4vTaxdXC', 'm9CvG7pkcO'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, m9WDDAbdckgRSPLQdj.cs	High entropy of concatenated method names: 'orpkcoAta9', 'cwvkPdPa9X', 'XbNkLcJZI9', 'EHdki4HJWD', 'gWBk6sdHLm', 'T1QkxT79yj', 'oDXkehUsxs', 'DEJR1Ie2s7', 'DKoRUxGHO3', 'F8pRCefm26'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, mUIQHtc5PiMLIOqOQrb.cs	High entropy of concatenated method names: 'FAkkFxn8sH', 'HEFkljUHex', 'OjLk87EBb7', 'ox8kok0K4N', 'N5mk2P8Cqi', 'P7qkVymBuM', 'CawkuJWeYj', 'KGAkauav3Y', 'PbFkXix04G', 'KhkkASEoFQ'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, qjfEKjUmhJPup5ZABB.cs	High entropy of concatenated method names: 'SBhRiR8ln7', 'qPKR6YtsRd', 'oMORv0EDq6', 'vyTRxnX0X7', 'f14ReZWIe1', 'yXtR0gH05s', 'EhvRHkCaMg', 'fQaR7AtcnI', 'LAdRWgWshs', 'WXBRggvbQv'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, qu4eVoHSPo9ejA6esY.cs	High entropy of concatenated method names: 'DZrPIKLoAd', 'bZDPiLaV2C', 'b4aP6Q6EaY', 'CrmPvYf3LV', 'PAJPxbt4mA', 'oQKPeWFc5c', 'kClP0yR2mh', 'OHMPHWy8b7', 'PeuP7rGAdx', 'TYsPWgqv4k'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, PD4QmDnXLZawl4rABn.cs	High entropy of concatenated method names: 'zXF8f58L4', 't1Zoj5So2', 'qgxVRGBG6', 'IyBufDp2t', 'QowXlVPrY', 'FN9AftdVN', 'ooDhP5fR42yJe6YWK0', 'pfQm6CVwaQ6XprVAL5', 'qf0RTAdFl', 'XmkMpM5GF'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, cdF0WJqmBirGmsrC9U.cs	High entropy of concatenated method names: 'CEA0iQvX6D', 'tsg0vunrjL', 'SGS0eZ9ebn', 'pamebo8vG2', 'DcgezFMRP2', 'mon0569LDC', 'cKP0cCmnTN', 'Swu0nF7nXL', 'IsA0P69y81', 'TQ40LxNEXd'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, kVBCLKccNDI6UpiebDC.cs	High entropy of concatenated method names: 'ToString', 'ALWMPwDmCl', 'WnSMLIdYYd', 'r2AMIgRLAl', 'UaNMi1hf6c', 'yecM6WVgdF', 'VeGMvSIGDu', 'KUiMxwEDkT', 'OY4V8soRXljAc6TIZDg', 'fC8EL0oU2mD6oShue5e'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, K11YPaZenX8Q04FESS.cs	High entropy of concatenated method names: 'FyWfa97HKd', 'j2MfXKFyP8', 'tFPfBWSfC8', 'MYXfw7NqwV', 'ldEf3KdFXi', 'yYif4cbsdw', 'drjfqvjYRp', 'v1mfYKTv6M', 'gxqfGMCyFV', 'DL6fdyGmsW'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, IPKqHFaHGVDOvQLAAk.cs	High entropy of concatenated method names: 'HnQ6JWKUHJ', 'a1V6Soepat', 'cJe6tlpCfh', 'g1u6msnTg3', 'EF06pxQAPB', 'HTa6OBmIlQ', 'f6061O8oAr', 'G806Uk5tlb', 'uPt6Cea6Nj', 'fTu6b3J0ex'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, v0I9daBtbGSNNIQqY8.cs	High entropy of concatenated method names: 'jWZeIhpB5i', 'uYKe6pWusq', 'xDEexSSueb', 'oVZe0LBNTB', 'nPHeHXiFAA', 'w3HxpsP8cf', 'sexxOga7gR', 'uCcx1JvrKF', 'Sr6xUp8SG3', 'w4axCObIC7'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, BkgHkYcPAiFTFYL9rDK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YOyMJWMFgD', 'RgSMSvvR5h', 'WDJMtPpHPV', 'u9NMmAg7hB', 'vyyMpUK59E', 'CAKMOI9TkG', 'xmoM1ouMnq'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, L37xIBvcOVeeN7nJgi.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bvdnCw79gs', 'l8hnbkI0pE', 'OMMnzrNTx1', 'KUYP5R1Qsw', 'KA3PcFQvuV', 'tq9PnVBWqf', 'XqqPPJe71U', 'R9bsZ92nZYfeK0FCVpO'
Source: 0.2.Telco 32pcs New Purchase Order.exe.3e30bd8.4.raw.unpack, bM11V2Cy3CqNxJ46sl.cs	High entropy of concatenated method names: 'W1oRB7WTse', 'qfARwnvqhU', 'GwFRjbX0mZ', 'tbJR3WaC5H', 'O0RRJfy9lu', 'ED8R4cS1rI', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, wKEY3HJo8eDVRJWVro.cs	High entropy of concatenated method names: 'sqDQGHh96y', 'AgAQEv1riQ', 'Fg1QJJBr6R', 'I1wQSRnwnx', 'vIeQwNK6Rq', 'BGOQjZUIjV', 'wvgQ3QfWU5', 'VtPQ4RYbh2', 'lyLQyNGwsr', 'ajHQqn1Ng0'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, w3Un50OCHhr6XKPgVv.cs	High entropy of concatenated method names: 'RYCrUTgMSO', 'kQorbaib6b', 'IEdR5YSe1q', 'PFSRcXEnj1', 'uPqrdx7Xkp', 'Wi6rEyPbgM', 'VoLrZD6RB9', 'dD7rJGZpTT', 'LKmrSHsKFR', 'eJVrt2tHI4'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, pfqRELt3v9bOXMqgPx.cs	High entropy of concatenated method names: 'ToString', 'yvehdb2t9t', 'NQehwkDNPt', 'vNahjGrn0B', 'zDnh3DYCMD', 'weFh4Ejuli', 'vuohyoIpHQ', 'TcOhqv04Zo', 'tPNhYAfG6g', 'o2xhTYIURs'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, AwjlnHTFEX7SG8ODN5.cs	High entropy of concatenated method names: 'hy00FxSK3A', 'ALr0lyMuec', 'iLE08TC0iR', 'FT00oF8KFL', 'vlr02teTAH', 'HUy0VVi8jv', 'Wwo0uTJLZY', 'nJB0avBUnP', 'olQ0XjQ0TG', 'GyN0ABaMdL'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, fyDZ3Q6uBXD3CjoIfe.cs	High entropy of concatenated method names: 'Dispose', 'qAxcCZdVv3', 'XBWnwVY2lN', 'Pe9YYBBw6U', 'PRjcbfEKjm', 'pJPczup5ZA', 'ProcessDialogKey', 'FBnn5M11V2', 'K3CncqNxJ4', 'gslnnW9WDD'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, v04S8qXUOtWGnng4FZ.cs	High entropy of concatenated method names: 'cYavouRehn', 'ksNvVPg00u', 'HJWvalwSPx', 'nZSvXHQ0mo', 'cU7vQjopVc', 'SR9vhPYicQ', 'jUHvrRRrtD', 'RJivRYlFin', 'uZyvkvXhi0', 'zXNvMvuihd'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, NvUCdtLRiH35Z1HHQn.cs	High entropy of concatenated method names: 'K83c0PKqHF', 'kGVcHDOvQL', 'LUOcWtWGnn', 'm4FcgZ8MJp', 'iawcQx7K0I', 'wdachtbGSN', 'Ch8D1whNuPg31uyFJg', 'YroQCR9w2iwP4MyTq2', 'HSDccBA0NU', 'fpPcP1HwW2'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, zMJpQBApxlWy5eawx7.cs	High entropy of concatenated method names: 'kMlx2KBJ7U', 'N6sxulRfT7', 'BI0vjhtSKK', 'L1Mv3bOtIS', 'FYkv4oD6xq', 'bSovyLeSu7', 'nc6vqhWF65', 'CuAvYJelIn', 'CF4vTaxdXC', 'm9CvG7pkcO'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, m9WDDAbdckgRSPLQdj.cs	High entropy of concatenated method names: 'orpkcoAta9', 'cwvkPdPa9X', 'XbNkLcJZI9', 'EHdki4HJWD', 'gWBk6sdHLm', 'T1QkxT79yj', 'oDXkehUsxs', 'DEJR1Ie2s7', 'DKoRUxGHO3', 'F8pRCefm26'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, mUIQHtc5PiMLIOqOQrb.cs	High entropy of concatenated method names: 'FAkkFxn8sH', 'HEFkljUHex', 'OjLk87EBb7', 'ox8kok0K4N', 'N5mk2P8Cqi', 'P7qkVymBuM', 'CawkuJWeYj', 'KGAkauav3Y', 'PbFkXix04G', 'KhkkASEoFQ'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, qjfEKjUmhJPup5ZABB.cs	High entropy of concatenated method names: 'SBhRiR8ln7', 'qPKR6YtsRd', 'oMORv0EDq6', 'vyTRxnX0X7', 'f14ReZWIe1', 'yXtR0gH05s', 'EhvRHkCaMg', 'fQaR7AtcnI', 'LAdRWgWshs', 'WXBRggvbQv'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, qu4eVoHSPo9ejA6esY.cs	High entropy of concatenated method names: 'DZrPIKLoAd', 'bZDPiLaV2C', 'b4aP6Q6EaY', 'CrmPvYf3LV', 'PAJPxbt4mA', 'oQKPeWFc5c', 'kClP0yR2mh', 'OHMPHWy8b7', 'PeuP7rGAdx', 'TYsPWgqv4k'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, PD4QmDnXLZawl4rABn.cs	High entropy of concatenated method names: 'zXF8f58L4', 't1Zoj5So2', 'qgxVRGBG6', 'IyBufDp2t', 'QowXlVPrY', 'FN9AftdVN', 'ooDhP5fR42yJe6YWK0', 'pfQm6CVwaQ6XprVAL5', 'qf0RTAdFl', 'XmkMpM5GF'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, cdF0WJqmBirGmsrC9U.cs	High entropy of concatenated method names: 'CEA0iQvX6D', 'tsg0vunrjL', 'SGS0eZ9ebn', 'pamebo8vG2', 'DcgezFMRP2', 'mon0569LDC', 'cKP0cCmnTN', 'Swu0nF7nXL', 'IsA0P69y81', 'TQ40LxNEXd'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, kVBCLKccNDI6UpiebDC.cs	High entropy of concatenated method names: 'ToString', 'ALWMPwDmCl', 'WnSMLIdYYd', 'r2AMIgRLAl', 'UaNMi1hf6c', 'yecM6WVgdF', 'VeGMvSIGDu', 'KUiMxwEDkT', 'OY4V8soRXljAc6TIZDg', 'fC8EL0oU2mD6oShue5e'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, K11YPaZenX8Q04FESS.cs	High entropy of concatenated method names: 'FyWfa97HKd', 'j2MfXKFyP8', 'tFPfBWSfC8', 'MYXfw7NqwV', 'ldEf3KdFXi', 'yYif4cbsdw', 'drjfqvjYRp', 'v1mfYKTv6M', 'gxqfGMCyFV', 'DL6fdyGmsW'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, IPKqHFaHGVDOvQLAAk.cs	High entropy of concatenated method names: 'HnQ6JWKUHJ', 'a1V6Soepat', 'cJe6tlpCfh', 'g1u6msnTg3', 'EF06pxQAPB', 'HTa6OBmIlQ', 'f6061O8oAr', 'G806Uk5tlb', 'uPt6Cea6Nj', 'fTu6b3J0ex'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, v0I9daBtbGSNNIQqY8.cs	High entropy of concatenated method names: 'jWZeIhpB5i', 'uYKe6pWusq', 'xDEexSSueb', 'oVZe0LBNTB', 'nPHeHXiFAA', 'w3HxpsP8cf', 'sexxOga7gR', 'uCcx1JvrKF', 'Sr6xUp8SG3', 'w4axCObIC7'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, BkgHkYcPAiFTFYL9rDK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YOyMJWMFgD', 'RgSMSvvR5h', 'WDJMtPpHPV', 'u9NMmAg7hB', 'vyyMpUK59E', 'CAKMOI9TkG', 'xmoM1ouMnq'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, L37xIBvcOVeeN7nJgi.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bvdnCw79gs', 'l8hnbkI0pE', 'OMMnzrNTx1', 'KUYP5R1Qsw', 'KA3PcFQvuV', 'tq9PnVBWqf', 'XqqPPJe71U', 'R9bsZ92nZYfeK0FCVpO'
Source: 0.2.Telco 32pcs New Purchase Order.exe.71e0000.6.raw.unpack, bM11V2Cy3CqNxJ46sl.cs	High entropy of concatenated method names: 'W1oRB7WTse', 'qfARwnvqhU', 'GwFRjbX0mZ', 'tbJR3WaC5H', 'O0RRJfy9lu', 'ED8R4cS1rI', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

File created: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp"

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (129).png

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: zBzzGAdzqF.exe PID: 2768, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Memory allocated: 11F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Memory allocated: 2B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Memory allocated: 4B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Memory allocated: 8FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Memory allocated: 9FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Memory allocated: A1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Memory allocated: B1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Memory allocated: 11C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Memory allocated: 2B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Memory allocated: 4C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Memory allocated: 1460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Memory allocated: 4E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Memory allocated: 8DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Memory allocated: 9DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Memory allocated: 9FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Memory allocated: AFE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Memory allocated: 1740000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Memory allocated: 30F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Memory allocated: 50F0000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4547	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5859	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 577	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Window / User API: threadDelayed 3543	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Window / User API: threadDelayed 6300	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Window / User API: threadDelayed 3693
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Window / User API: threadDelayed 6144

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2252	Thread sleep count: 4547 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2212	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4352	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5692	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7340	Thread sleep count: 3543 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7340	Thread sleep count: 6300 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -99780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -98791s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -98465s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -97812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -97594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -97479s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -97374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -97265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -97155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -97047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -96719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -96457s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -96156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -96046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -95937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -95823s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -95717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -95609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -95500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -95388s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -95281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -95171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -95049s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -94922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -94812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -94703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -94594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -94484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -94375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe TID: 7328	Thread sleep time: -94265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7632	Thread sleep count: 3693 > 30
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -99585s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7632	Thread sleep count: 6144 > 30
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -99469s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -99340s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -99226s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -99125s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -99013s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -98904s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -98795s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -98688s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -98344s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -98110s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -97985s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -97860s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -97735s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -97610s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -97485s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -97360s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -97235s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -97110s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -96969s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -96710s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -96548s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -96304s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -96191s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -96063s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -95953s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -95844s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -95734s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -95625s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -95516s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -95406s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -95297s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -95188s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -95063s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -94938s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -94813s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -94703s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -94594s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -94469s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -94360s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -94235s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -94110s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -93985s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -93813s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -93693s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -93563s >= -30000s
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe TID: 7604	Thread sleep time: -93174s >= -30000s

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 99780	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 98791	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 98465	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 97479	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 97374	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 97155	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 97047	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 96719	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 96457	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 96156	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 96046	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 95823	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 95717	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 95609	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 95500	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 95388	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 95281	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 95171	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 95049	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 94922	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 94812	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 94703	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 94594	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 94484	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 94375	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Thread delayed: delay time: 94265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 99585
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 99469
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 99340
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 99226
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 99125
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 99013
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 98904
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 98795
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 98688
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 98344
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 98110
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 97985
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 97860
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 97735
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 97610
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 97485
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 97360
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 97235
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 97110
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 96969
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 96710
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 96548
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 96304
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 96191
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 96063
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 95953
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 95844
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 95734
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 95625
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 95516
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 95406
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 95297
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 95188
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 95063
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 94938
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 94813
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 94703
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 94594
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 94469
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 94360
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 94235
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 94110
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 93985
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 93813
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 93693
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 93563
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Thread delayed: delay time: 93174

Source: zBzzGAdzqF.exe, 0000000B.00000002.1508467194.00000000011A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m=dE
Source: Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2687529054.000000000117E000.00000004.00000020.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2687516605.000000000149F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: zBzzGAdzqF.exe, 0000000B.00000002.1508467194.00000000011A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\"

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe"
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Memory written: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Memory written: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Process created: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp5C8D.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Process created: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Queries volume information: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Queries volume information: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Queries volume information: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Telco 32pcs New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2689631627.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2689533130.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2689631627.0000000003165000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2689533130.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zBzzGAdzqF.exe PID: 7500, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Telco 32pcs New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2689631627.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2689533130.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zBzzGAdzqF.exe PID: 7500, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Telco 32pcs New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3ded1d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telco 32pcs New Purchase Order.exe.3db27b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2689631627.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2689533130.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2689631627.0000000003165000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2689533130.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Telco 32pcs New Purchase Order.exe PID: 4508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zBzzGAdzqF.exe PID: 7500, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	21 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Telco 32pcs New Purchase Order.exe	45%	ReversingLabs	Win32.Ransomware.CryptoJoker
Telco 32pcs New Purchase Order.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe	45%	ReversingLabs	Win32.Ransomware.CryptoJoker

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe
https://api.ipify.org/t	0%	Avira URL Cloud	safe
https://static.wikia.nocookie.net/mitologa/images/a/a3/Imagen_por_defecto.png/revision/latest/thumbn	0%	Avira URL Cloud	safe
http://www.symauth.com/rpa00	0%	Avira URL Cloud	safe
http://crl.mG	0%	Avira URL Cloud	safe
http://mail.iaa-airferight.com	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.iaa-airferight.com	46.175.148.58	true	true		unknown
api.ipify.org	104.26.12.205	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	Telco 32pcs New Purchase Order.exe, 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2685915143.0000000000434000.00000040.00000400.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	Telco 32pcs New Purchase Order.exe, 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.wikia.nocookie.net/mitologa/images/a/a3/Imagen_por_defecto.png/revision/latest/thumbn	Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Telco 32pcs New Purchase Order.exe, 00000000.00000002.1460082719.0000000002B8C000.00000004.00000800.00020000.00000000.sdmp, Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000B.00000002.1511440653.0000000002ECC000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.symauth.com/cps0(	Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	Telco 32pcs New Purchase Order.exe, zBzzGAdzqF.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://crl.mG	zBzzGAdzqF.exe, 0000000F.00000002.2701127043.0000000006B52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.iaa-airferight.com	Telco 32pcs New Purchase Order.exe, 0000000A.00000002.2689533130.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, zBzzGAdzqF.exe, 0000000F.00000002.2689631627.0000000003165000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
46.175.148.58	mail.iaa-airferight.com	Ukraine		56394	ASLAGIDKOM-NETUA	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519146
Start date and time:	2024-09-26 07:24:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Telco 32pcs New Purchase Order.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/15@2/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 100% Number of executed functions: 252 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Telco 32pcs New Purchase Order.exe, PID 4508 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Telco 32pcs New Purchase Order.exe

Simulations

Behavior and APIs

Time	Type	Description
01:25:07	API Interceptor	1793587x Sleep call for process: Telco 32pcs New Purchase Order.exe modified
01:25:09	API Interceptor	39x Sleep call for process: powershell.exe modified
01:25:12	API Interceptor	1014264x Sleep call for process: zBzzGAdzqF.exe modified
07:25:09	Task Scheduler	Run new task: zBzzGAdzqF path: C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	file.exe	Get hash	malicious	LummaC, Vidar	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
46.175.148.58	Ningbo - Past Due Invoices.scr.exe	Get hash	malicious	AgentTesla	Browse
	Samsung PO 20240920.exe	Get hash	malicious	AgentTesla	Browse
	PO-3500036071.exe	Get hash	malicious	AgentTesla	Browse
	PI #OVES1912196.scr.exe	Get hash	malicious	AgentTesla	Browse
	SPW AW25 - PO.010 SMS.exe	Get hash	malicious	AgentTesla	Browse
	SPW AW25 - PO.010 SMS.exe	Get hash	malicious	AgentTesla	Browse
	LEVER STYLE SEP BUY ORDER & C248SH12.exe	Get hash	malicious	AgentTesla	Browse
	SPW AW25 - PO.010.exe	Get hash	malicious	AgentTesla	Browse
	Asco Valve Shanghai OrderPO-011024.exe	Get hash	malicious	AgentTesla	Browse
	Global e-Banking Payment Advice 000000164.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.iaa-airferight.com	Ningbo - Past Due Invoices.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Samsung PO 20240920.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PO-3500036071.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PI #OVES1912196.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPW AW25 - PO.010 SMS.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPW AW25 - PO.010 SMS.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	LEVER STYLE SEP BUY ORDER & C248SH12.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPW AW25 - PO.010.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Asco Valve Shanghai OrderPO-011024.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Global e-Banking Payment Advice 000000164.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
api.ipify.org	https://lmoriw-iekascma-oqmmcq-213-cmakwe-fgacsax.pages.dev/robots.txt/	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	INDIA - VSL PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	http://limeac-oawkcc-otmsesrt-iond0-minestoasli.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://dreativityblocksnodes.pages.dev/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://check-smulti-993054.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.26.12.205
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	envifa.vbs	Get hash	malicious	Unknown	Browse	172.67.19.24
	https://redfoxgroup.ladesk.com/402755-APAR	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://docs-i-trezor.github.io/en-us/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://banlombiasucursalvirtughasd.vercel.app/	Get hash	malicious	Unknown	Browse	104.26.0.188
	https://cutt.ly/EeUeu5Iy/	Get hash	malicious	Unknown	Browse	172.67.8.238
	https://start-m-trezar.github.io/	Get hash	malicious	HTMLPhisher	Browse	104.16.96.114
	https://check-hticompialnt520842.com/sign-in?op_token=6QouodMTj42Y9R6vu7f7F4jkiiAw5e0RnP0YJ7kaakP7NW4bImz7RzENOq9XAroPzLQq7OQtDzJlNnfUSwkvnHQF3HnsYuhEh8y&uuid=3334009b-8512-457f-a8c7-c29303c4adbc&hash=lrio35yeh&language=en	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://lmoriw-iekascma-oqmmcq-213-cmakwe-fgacsax.pages.dev/robots.txt/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://expressss-venezuela.pages.dev/robots.txt/	Get hash	malicious	Unknown	Browse	172.66.47.120
	https://risingstarsyouthfootballcamp.com/modules/psgdpr/css/bonde/auth/dV9oBz/index.php/	Get hash	malicious	Unknown	Browse	104.17.24.14
ASLAGIDKOM-NETUA	Ningbo - Past Due Invoices.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Samsung PO 20240920.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PO-3500036071.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PI #OVES1912196.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPW AW25 - PO.010 SMS.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPW AW25 - PO.010 SMS.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	LEVER STYLE SEP BUY ORDER & C248SH12.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPW AW25 - PO.010.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Asco Valve Shanghai OrderPO-011024.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Global e-Banking Payment Advice 000000164.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	http://npc.uzob291.vip/	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://oxv.efoi271.vip/	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://oxv.dsgn269.vip/	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://qae.qafv739.vip/	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://cmn.gyxm333.vip/	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://frt.jjze726.vip/	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://sparebankno-privat.netlify.app/	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://hgw.gyxm333.vip/	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://hgw.nxwp620.vip/	Get hash	malicious	Unknown	Browse	104.26.12.205
	envifa.vbs	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zBzzGAdzqF.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380192968514367
Encrypted:	false
SSDEEP:	48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:+LHyIFKL3IZ2KRH9Oug8s
MD5:	E3EC01FAB7E327602A9550342FA73464
SHA1:	7F06C78BA2496A8DDB3DDCD63BAF741CB8C84886
SHA-256:	4ECCD285FCD821659092ADB47638B559656F97512183BA76AEE2760D531273C5
SHA-512:	B66B707510DE1B0AA29F65F1C99BDEEBDC4D34EC3D9950B62E17058D2E5B1599C85A09EC056F1C4BCE019213485F1E3D7E9D68651890A853819F98DBF2492407
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_432uztg2.dii.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qeyzlb4.2uh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xz2eenz.tcz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvm4nvtf.0f2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5sra2fq.eff.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4k1gxl0.mbg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_szz10lyr.bj1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_udh5n3ix.poz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp4878.tmp

Download File

Process:	C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	5.123792705839575
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtpaxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTcv
MD5:	6B274991AEAD520CF3B14502ED127215
SHA1:	BA88CCA464F78F60FB663B618D8F5E4569B318B9
SHA-256:	EE797A3F451460A5A85D0CF489D2DC3EC1AF61883DF4C8037F1EA6AE13C92A52
SHA-512:	23E252F95D1D2C59105EB615F27A38178C318F2CF6175B381C90D76F00790BBF895A6077F0D478C19FB2B423F7C825C8DC589C9A22BD54EB25B62725E1C18E54
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp5C8D.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	5.123792705839575
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtpaxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTcv
MD5:	6B274991AEAD520CF3B14502ED127215
SHA1:	BA88CCA464F78F60FB663B618D8F5E4569B318B9
SHA-256:	EE797A3F451460A5A85D0CF489D2DC3EC1AF61883DF4C8037F1EA6AE13C92A52
SHA-512:	23E252F95D1D2C59105EB615F27A38178C318F2CF6175B381C90D76F00790BBF895A6077F0D478C19FB2B423F7C825C8DC589C9A22BD54EB25B62725E1C18E54
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe

Download File

Process:	C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	991848
Entropy (8bit):	7.397819157475462
Encrypted:	false
SSDEEP:	24576:izFcFCG6ra2QIi2zGc9rwZTkfrw6bMfR1q:izFcsG3ZDc9riI0q
MD5:	8D310F2E831174AAC8EAA5EBA20E87AD
SHA1:	600EF55976B69523C7973C5D0AEEB91F3FDCF97E
SHA-256:	457B6241F125CD8C4F030E7B7F05829B89A5E831F624225CB70EA272ECD88876
SHA-512:	A8A58D69131AE7B6736AF515AD800EEBE123DF03C8C5B909E24AE64E382F310835F984D045F97AABE11A0F489E614B1D8D516ADD24D9CFDE6F261CA88AF75839
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!................0......R......n.... ........@.. .......................@............@.....................................O........O..............h4... ......\...p............................................ ............... ..H............text...t.... ...................... ..`.rsrc....O.......P..................@..@.reloc....... ......................@..B................M.......H............s..........."...f...........................................0............{.....+....(.......r...ps....}.....s....}....r..{.....o......{.....o........0..9.........{.....{....o.......{....o.......{....o....}..........z...........!4.......0..4.........{.....{....o.......{....o......{....o....&......z........./.......0............(.........,..{....o.....V..{....o .....o!...&^..}.....("......(.........0............s#...}....s>....s......{.....o=...o$.....{....

C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.397819157475462
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Telco 32pcs New Purchase Order.exe
File size:	991'848 bytes
MD5:	8d310f2e831174aac8eaa5eba20e87ad
SHA1:	600ef55976b69523c7973c5d0aeeb91f3fdcf97e
SHA256:	457b6241f125cd8c4f030e7b7f05829b89a5e831f624225cb70ea272ecd88876
SHA512:	a8a58d69131ae7b6736af515ad800eebe123df03c8c5b909e24ae64e382f310835f984d045f97aabe11a0f489e614b1d8d516add24d9cfde6f261ca88af75839
SSDEEP:	24576:izFcFCG6ra2QIi2zGc9rwZTkfrw6bMfR1q:izFcsG3ZDc9riI0q
TLSH:	1825CF42D29C9620EC3A5BB16535CD72032F7DAEA4B8D11C29CD3DAB3FFABA25414543
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!................0......R......n.... ........@.. .......................@............@................................

File Icon


Icon Hash:	c5a484988c94a04b

Static PE Info

General

Entrypoint:	0x4bb86e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBA8721D6 [Sat Mar 2 02:49:58 2069 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	11/11/2021 01:00:00 14/11/2024 00:59:59
Subject Chain	CN="NetEase Youdao Information Technology (Beijing) Co.,Ltd.", O="NetEase Youdao Information Technology (Beijing) Co.,Ltd.", S=Beijing, C=CN
Version:	3
Thumbprint MD5:	4F5FEC748CD450F88841E761105381F9
Thumbprint SHA-1:	4969233BC110419F015F688CF21C19254B1B0BAA
Thumbprint SHA-256:	1CC254B81F32E63E63AD35958D2E738ADAA491167E1EA91199DEF66274175909
Serial:	01CC0C6632D0CA3E68F19D8028508E91

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbb819	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x34fd4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xeee00	0x3468
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb895c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb9874	0xb9a00	60221d64384c43b19ff3e11894385ae3	False	0.8255116266835016	data	7.800984886920725	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x34fd4	0x35000	45c306573542355c062ef6fa2cdbcaee	False	0.2101498010023585	data	4.4442337784832215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf2000	0xc	0x200	6d8f341d41e8d64323b267dba0004ecc	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xbc460	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	0.3225609756097561
RT_ICON	0xbcac8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	0.43951612903225806
RT_ICON	0xbcdb0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	0.4016393442622951
RT_ICON	0xbcf98	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	0.4831081081081081
RT_ICON	0xbd0c0	0x35e0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9907192575406032
RT_ICON	0xc06a0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.4584221748400853
RT_ICON	0xc1548	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.47382671480144406
RT_ICON	0xc1df0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.45564516129032256
RT_ICON	0xc24b8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.3504335260115607
RT_ICON	0xc2a20	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.07868508221933042
RT_ICON	0xd3248	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.15114568005045195
RT_ICON	0xdc6f0	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	0.1543233082706767
RT_ICON	0xe2ed8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.175184842883549
RT_ICON	0xe8360	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.15948275862068967
RT_ICON	0xec588	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.24107883817427386
RT_ICON	0xeeb30	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.2678236397748593
RT_ICON	0xefbd8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.37459016393442623
RT_ICON	0xf0560	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.42819148936170215
RT_GROUP_ICON	0xf09c8	0x102	data	0.5775193798449613
RT_VERSION	0xf0acc	0x31c	data	0.4334170854271357
RT_MANIFEST	0xf0de8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 07:25:10.436988115 CEST	49709	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:10.437037945 CEST	443	49709	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:10.437103987 CEST	49709	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:10.444632053 CEST	49709	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:10.444649935 CEST	443	49709	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:10.918414116 CEST	443	49709	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:10.918512106 CEST	49709	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:10.980526924 CEST	49709	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:10.980591059 CEST	443	49709	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:10.980968952 CEST	443	49709	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:11.023104906 CEST	49709	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:11.142725945 CEST	49709	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:11.183434010 CEST	443	49709	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:11.250452042 CEST	443	49709	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:11.250521898 CEST	443	49709	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:11.250616074 CEST	49709	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:11.377949953 CEST	49709	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:13.120582104 CEST	49711	25	192.168.2.8	46.175.148.58
Sep 26, 2024 07:25:14.257474899 CEST	49711	25	192.168.2.8	46.175.148.58
Sep 26, 2024 07:25:15.205766916 CEST	49712	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:15.205813885 CEST	443	49712	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:15.206573963 CEST	49712	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:15.210093021 CEST	49712	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:15.210109949 CEST	443	49712	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:15.713049889 CEST	443	49712	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:15.713143110 CEST	49712	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:15.715303898 CEST	49712	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:15.715312958 CEST	443	49712	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:15.715603113 CEST	443	49712	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:15.757466078 CEST	49712	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:15.781460047 CEST	49712	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:15.827394009 CEST	443	49712	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:15.909660101 CEST	443	49712	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:15.909778118 CEST	443	49712	104.26.12.205	192.168.2.8
Sep 26, 2024 07:25:15.909898043 CEST	49712	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:15.913064957 CEST	49712	443	192.168.2.8	104.26.12.205
Sep 26, 2024 07:25:16.257461071 CEST	49711	25	192.168.2.8	46.175.148.58
Sep 26, 2024 07:25:16.554302931 CEST	49714	25	192.168.2.8	46.175.148.58
Sep 26, 2024 07:25:17.623827934 CEST	49714	25	192.168.2.8	46.175.148.58
Sep 26, 2024 07:25:19.632471085 CEST	49714	25	192.168.2.8	46.175.148.58
Sep 26, 2024 07:25:20.257488012 CEST	49711	25	192.168.2.8	46.175.148.58
Sep 26, 2024 07:25:23.632477045 CEST	49714	25	192.168.2.8	46.175.148.58
Sep 26, 2024 07:25:28.257688999 CEST	49711	25	192.168.2.8	46.175.148.58
Sep 26, 2024 07:25:31.632509947 CEST	49714	25	192.168.2.8	46.175.148.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 07:25:10.415407896 CEST	62645	53	192.168.2.8	1.1.1.1
Sep 26, 2024 07:25:10.422221899 CEST	53	62645	1.1.1.1	192.168.2.8
Sep 26, 2024 07:25:13.107455969 CEST	59472	53	192.168.2.8	1.1.1.1
Sep 26, 2024 07:25:13.119957924 CEST	53	59472	1.1.1.1	192.168.2.8
Sep 26, 2024 07:25:27.499181032 CEST	53	54908	1.1.1.1	192.168.2.8
Sep 26, 2024 07:25:53.092528105 CEST	53	58771	162.159.36.2	192.168.2.8
Sep 26, 2024 07:25:53.576627970 CEST	53	52433	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 07:25:10.415407896 CEST	192.168.2.8	1.1.1.1	0x36c7	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 07:25:13.107455969 CEST	192.168.2.8	1.1.1.1	0xee65	Standard query (0)	mail.iaa-airferight.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 07:25:10.422221899 CEST	1.1.1.1	192.168.2.8	0x36c7	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Sep 26, 2024 07:25:10.422221899 CEST	1.1.1.1	192.168.2.8	0x36c7	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Sep 26, 2024 07:25:10.422221899 CEST	1.1.1.1	192.168.2.8	0x36c7	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Sep 26, 2024 07:25:13.119957924 CEST	1.1.1.1	192.168.2.8	0xee65	No error (0)	mail.iaa-airferight.com	46.175.148.58	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	104.26.12.205	443	4508	C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 05:25:11 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-09-26 05:25:11 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 05:25:11 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c90d4f8fb417ced-EWR
2024-09-26 05:25:11 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49712	104.26.12.205	443	7500	C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 05:25:15 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-09-26 05:25:15 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 05:25:15 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c90d515ffc719fb-EWR
2024-09-26 05:25:15 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Target ID:	0
Start time:	01:25:06
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Imagebase:	0x770000
File size:	991'848 bytes
MD5 hash:	8D310F2E831174AAC8EAA5EBA20E87AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1461636343.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:25:07
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Imagebase:	0x310000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:25:07
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:25:08
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe"
Imagebase:	0x310000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:25:08
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:25:08
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp4878.tmp"
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:25:08
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:25:08
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Imagebase:	0x120000
File size:	991'848 bytes
MD5 hash:	8D310F2E831174AAC8EAA5EBA20E87AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:25:08
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Telco 32pcs New Purchase Order.exe"
Imagebase:	0x8c0000
File size:	991'848 bytes
MD5 hash:	8D310F2E831174AAC8EAA5EBA20E87AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2689533130.0000000002C0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2689533130.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2689533130.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2685907689.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	01:25:09
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe
Imagebase:	0xa40000
File size:	991'848 bytes
MD5 hash:	8D310F2E831174AAC8EAA5EBA20E87AD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:25:12
Start date:	26/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:25:13
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBzzGAdzqF" /XML "C:\Users\user\AppData\Local\Temp\tmp5C8D.tmp"
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:25:13
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	01:25:13
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\zBzzGAdzqF.exe"
Imagebase:	0xce0000
File size:	991'848 bytes
MD5 hash:	8D310F2E831174AAC8EAA5EBA20E87AD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2689631627.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2689631627.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2689631627.0000000003165000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.1%
Total number of Nodes:	214
Total number of Limit Nodes:	14

Executed Functions

Function 050F9700 Relevance: 5.0, Strings: 2, Instructions: 2492
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$'q, xrefs: 050F97AC
''q, xrefs: 050F9760

Memory Dump Source

Source File: 00000000.00000002.1467913981.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID: ''q$$'q
API String ID: 0-2770139231
Opcode ID: 89c907f0c1071a8dc72dfc648d7c0b7390b243bd39881a98f129bbbc385d3bbf
Instruction ID: 82edb96c846288b58c5cc083ed00115085e4359f58888b7d40f780d2bd510b66
Opcode Fuzzy Hash: 89c907f0c1071a8dc72dfc648d7c0b7390b243bd39881a98f129bbbc385d3bbf
Instruction Fuzzy Hash: 6643B274A10219CFCB25EF24C994AD9B3B6FF89304F1146E9E509AB361DB31AE85CF40

Function 050F96F2 Relevance: 5.0, Strings: 2, Instructions: 2470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$'q, xrefs: 050F97AC
''q, xrefs: 050F9760

Memory Dump Source

Source File: 00000000.00000002.1467913981.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID: ''q$$'q
API String ID: 0-2770139231
Opcode ID: d3da952da15af935a1dfd2499811bd7b2da7cd3af2dc69ecc337e53c1e8fc11e
Instruction ID: 4eff1a27c20d3d41194acccd5a21b99401528cae68d5818959399cf8fbed1cc6
Opcode Fuzzy Hash: d3da952da15af935a1dfd2499811bd7b2da7cd3af2dc69ecc337e53c1e8fc11e
Instruction Fuzzy Hash: D643B274A10219CFCB25EF24C994AD9B3B6FF99304F1146E9E509AB361DB31AE85CF40

Function 071D9691 Relevance: 3.1, APIs: 2, Instructions: 107
memoryinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071D9646
WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071D9728

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: AllocMemoryProcessVirtualWrite
String ID:
API String ID: 645232735-0
Opcode ID: fa3202abb47943552b5431a44b97b21e9398e7542dbc76be5d6b404ddfd24c84
Instruction ID: 43e99a4fff5f9664b494accc492be6ebf6afbe48ab8841748dac18a288d8ee59
Opcode Fuzzy Hash: fa3202abb47943552b5431a44b97b21e9398e7542dbc76be5d6b404ddfd24c84
Instruction Fuzzy Hash: A54148B29003499FDF10CFAAD844BDEBBF5EF48310F14841AE519A7250C779A950DFA0

Function 071D0006 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10511b45ad00db8e8a3b5b9764fea3ca8771d3a95426277ea8819e5a68bff42b
Instruction ID: 70297f909d6781ae42cad1f1db5d1e4a9527a6cb2a80889a9b09230a5b851362
Opcode Fuzzy Hash: 10511b45ad00db8e8a3b5b9764fea3ca8771d3a95426277ea8819e5a68bff42b
Instruction Fuzzy Hash: E9B1F2B4D05258CFDB18CFA9C8446ADFBF2BF8A300F15916AD408BB295D7749986CF20

Function 071D0040 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4c93e56002b58ee4c153101db7a6c0d6ad8e33175eb99a0b69a7e667a08cc1
Instruction ID: 1be8692e2e9d49f9620de81a4fd07998afcfc7e301c5d981926e63bc9418dbb0
Opcode Fuzzy Hash: 4a4c93e56002b58ee4c153101db7a6c0d6ad8e33175eb99a0b69a7e667a08cc1
Instruction Fuzzy Hash: D7B1D1B4D05218DFDB18DFAAC8446ADFBF6BF8A300F14912AD409B7285D7749986CF20

Function 071DCAA8 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6afe20a179c1380d76fda860dae9f81b5e1b0aafc7f349ea0d83fff89ba336bc
Instruction ID: c76c8d2412f00c094ef88b521696e87471e281e134c91fe56ccadf4ea7b0d7d2
Opcode Fuzzy Hash: 6afe20a179c1380d76fda860dae9f81b5e1b0aafc7f349ea0d83fff89ba336bc
Instruction Fuzzy Hash: FD81FDB4D55619CFDB28CF56C8407D9BBB6BF8A300F1095AAD40DA7290DB705E85CF50

Function 071D3619 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0622bbd4c7c702058a59505991df14ea38d45e0730ba17d1a2091c90595560
Instruction ID: 78871ab7de163a61da9ab0ede47e09e79e06fddc546bf1df31bed93064ce09b6
Opcode Fuzzy Hash: 3b0622bbd4c7c702058a59505991df14ea38d45e0730ba17d1a2091c90595560
Instruction Fuzzy Hash: EC4125B0D09208DFDB08CFAAD4446EEBBF2AB8E301F15D06AD429A7291DB344E45CF55

Function 071DD062 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b18688c176a917b39c339e0f1653b3f45f30589c75056b917590e9ac6563988
Instruction ID: 72cf574166e282c05118e5fa06f8599bf2b242f0799a0eb45fd1436c7175c9ab
Opcode Fuzzy Hash: 1b18688c176a917b39c339e0f1653b3f45f30589c75056b917590e9ac6563988
Instruction Fuzzy Hash: A92134B4914228CFCB24CF60D9887E9BBB0EB0A305F1094DAC44DA7281C7358ECACF54

Function 071D9915 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071D9B56

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c4486bb1a8e52362e19bf7b70678fa30a284a665b879f9c333b26c8524c5e4eb
Instruction ID: 1bdc9d8e2dcf77fe06bb895497a8f6cade6969cf02b5f9edba4ff4eb0511d552
Opcode Fuzzy Hash: c4486bb1a8e52362e19bf7b70678fa30a284a665b879f9c333b26c8524c5e4eb
Instruction Fuzzy Hash: 3CA17EB1D10219CFDB25CFA9C840BDEBBB2FF48710F14816AD859A7280DB759985CF91

Function 071D9920 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071D9B56

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 98c11b96a9062865fac7d549788db712148b9fa968117f2b92e907478ad09416
Instruction ID: d6165f7c5ff132cef016878174d6b714d6f1dbf0b48a9a911cb4f56232a11e6b
Opcode Fuzzy Hash: 98c11b96a9062865fac7d549788db712148b9fa968117f2b92e907478ad09416
Instruction Fuzzy Hash: E2916DB1D10219CFEB25CFA9C840BDEBBB2FF44710F14816AD859A7280DB75A985CF91

Function 011FADA8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011FAFFE

Memory Dump Source

Source File: 00000000.00000002.1459715695.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: baa9b5e33909e3a9d91cd4c6c73e4baa566f6e8c4c7cca7658bccebfd9b70fe6
Instruction ID: 502bcfd9ff7a63a89af2897cee8307f9742a63eb604eb5912f2957b51a9b9726
Opcode Fuzzy Hash: baa9b5e33909e3a9d91cd4c6c73e4baa566f6e8c4c7cca7658bccebfd9b70fe6
Instruction Fuzzy Hash: 98715870A00B058FE728DF2AE44475ABBF5FF88204F00892DD69AD7B40DB79E845CB95

Function 011F44E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011F59C9

Memory Dump Source

Source File: 00000000.00000002.1459715695.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ef1a59f7dead0acbf32a1616cc849b55321a5727d855ff6adb5906626e8d339d
Instruction ID: f6b2fe3faf67e294ac43c06bea76e514d293c0487c1ecc96cf80bacd24c7dfdd
Opcode Fuzzy Hash: ef1a59f7dead0acbf32a1616cc849b55321a5727d855ff6adb5906626e8d339d
Instruction Fuzzy Hash: FE41C270C0071DCFDB28CFA9C884B9EBBB6BF49704F24806AD519AB251DB75594ACF90

Function 011F590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011F59C9

Memory Dump Source

Source File: 00000000.00000002.1459715695.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ddb1027db293dc729ec863a292e61ebf4388fa0e69313215d74dfa306fe456e5
Instruction ID: 6f87f09fe329209c00823c6a597e2023ababbf8419b572b8bad9414d71a91bef
Opcode Fuzzy Hash: ddb1027db293dc729ec863a292e61ebf4388fa0e69313215d74dfa306fe456e5
Instruction Fuzzy Hash: CA41E0B0C00719CFDB28CFA9C884BDEBBB2BF48304F24805AD519AB251DB75594ACF50

Function 050F4050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 050F4111

Memory Dump Source

Source File: 00000000.00000002.1467913981.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6f3164e6fb6f480e8b7c057694c266cc74a1b9004bc634e10958b487fdbcde02
Instruction ID: 16aff11a655b8eaf186408407b270fb388356819dea5af0d5df2a358667c4557
Opcode Fuzzy Hash: 6f3164e6fb6f480e8b7c057694c266cc74a1b9004bc634e10958b487fdbcde02
Instruction Fuzzy Hash: 7A4108B9900309CFDB14CF95D848AAEBBF6FB88314F248459D519AB321D775A841CFA0

Function 071D9698 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071D9728

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 659dad9de9c97d5d6032f67f64611df8b93afa626074cd2dd8fed47a21890b9f
Instruction ID: 6fc484d967a15c4a661d7d2260ebf7853569194712200efc6afff5ed05cd56ae
Opcode Fuzzy Hash: 659dad9de9c97d5d6032f67f64611df8b93afa626074cd2dd8fed47a21890b9f
Instruction Fuzzy Hash: 482125B19003499FDB10CFAAC885BDEBBF5FF48310F10842AE919A7240D779A944CFA4

Function 071D9781 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071D9808

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9224f1ad04a3b50b7893f3cb1fd0f755d23159018aa1aafc10eeab58b4f08f49
Instruction ID: 1e784570948fd5e23c1401b972d3ae3122c8a74c7b2870336ffd19b631f14dac
Opcode Fuzzy Hash: 9224f1ad04a3b50b7893f3cb1fd0f755d23159018aa1aafc10eeab58b4f08f49
Instruction Fuzzy Hash: 112126B18003599FDB10CFAAD845BDEBBF5FF48720F14842AE918A7241C7799940DBA1

Function 071D90C2 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071D9146

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5e4f01c48a9bc509d4519534e34e016f804bd531d580055f3c25d322a725ebc1
Instruction ID: f663210c9189ae4406e52a488f3157e4c1b801b55188cf99093abb3246131865
Opcode Fuzzy Hash: 5e4f01c48a9bc509d4519534e34e016f804bd531d580055f3c25d322a725ebc1
Instruction Fuzzy Hash: 102107B19003498FDB14DFAAC885BEEBBF5EF48324F14842AD459A7241C778A945CFA4

Function 011FB790 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011FD646,?,?,?,?,?), ref: 011FD707

Memory Dump Source

Source File: 00000000.00000002.1459715695.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cb3a0f4ac84e2bea8fcb69ee7f760fa9d05f85e3cfcdc80033142d48cd535d2b
Instruction ID: f34d5dd0d47fb903e64e1de974cc45331cae897eef90d8db75bb33555ff5839b
Opcode Fuzzy Hash: cb3a0f4ac84e2bea8fcb69ee7f760fa9d05f85e3cfcdc80033142d48cd535d2b
Instruction Fuzzy Hash: 6E21E5B5900248DFDB10CFAAD484AEEFBF9EB48314F14841AE918A7350D378A944CFA5

Function 071D9788 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071D9808

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e2e51e857fc1caca1874be78717c57b8e78190ca1d5e98d98c0ef6647f7eb2df
Instruction ID: 588cb46370c81da8b7dc8e5b138e37f580e27e7d71f6721903feda25f3bc442c
Opcode Fuzzy Hash: e2e51e857fc1caca1874be78717c57b8e78190ca1d5e98d98c0ef6647f7eb2df
Instruction Fuzzy Hash: E12116B18003599FDB10CFAAC845BDEBBF5FF48710F10842AE519A7240C7799940DFA4

Function 071D90C8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071D9146

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b2bdef5d42cf219bfc7b1feddb511318a3ae7e4bb5c089a3f5d0a4b1f1eca83f
Instruction ID: f2ee8557e9d11afae61880c48c3ecc074148687442c9f37320fc6e1835114806
Opcode Fuzzy Hash: b2bdef5d42cf219bfc7b1feddb511318a3ae7e4bb5c089a3f5d0a4b1f1eca83f
Instruction Fuzzy Hash: B02129B1D003099FDB10DFAAC8857EEBBF5EF48724F14842AD519A7240CB78A945CFA4

Function 011FD679 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011FD646,?,?,?,?,?), ref: 011FD707

Memory Dump Source

Source File: 00000000.00000002.1459715695.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: aa162aebeeceed97a9a00244b7217b5d89041961f92f8639b17eedaeef0483a0
Instruction ID: ff13ffc9962dd6b2ef5907cf7256ed88bd8eedc4bcee6a29b78c1f2192d348f5
Opcode Fuzzy Hash: aa162aebeeceed97a9a00244b7217b5d89041961f92f8639b17eedaeef0483a0
Instruction Fuzzy Hash: 6E21E2B5D00248DFDB10CFAAD584AEEBBF5FB48314F14841AE918A7250D378A944CF64

Function 071D95D0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071D9646

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b7e8be7c41659734d372733620fa232b7e33a10b3d7c4c703a335738ffb0ff12
Instruction ID: dab8c4042af08969793cc5acaabce235915f63098003e6b017007de0124be6b7
Opcode Fuzzy Hash: b7e8be7c41659734d372733620fa232b7e33a10b3d7c4c703a335738ffb0ff12
Instruction Fuzzy Hash: D81147729002499FDB10DFAAD844BDEBFF5EF48320F24841AE515A7250C779A954CFA0

Function 071D95D8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071D9646

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8f33f6e350b927ce5be501da841ce5b01a45530edd055ac82b2544f3edfb205b
Instruction ID: 9d41b279295f52ad2e71b82155aeb123f5c4b1f18bd2819d5cfd8e1f76e3e306
Opcode Fuzzy Hash: 8f33f6e350b927ce5be501da841ce5b01a45530edd055ac82b2544f3edfb205b
Instruction Fuzzy Hash: 021137718003499FDB10DFAAC844BDFBBF5EF48720F14881AE515A7250C779A940CFA4

Function 071DDCD9 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 071DDD3D

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2c4961fcd9ce9f2ebace08adb1d4c155da6c45e993988daf3ab1261def0afaf9
Instruction ID: 05e66762dcb7ffd8c3c3ed87435899be01a8d76c5d60bf6fa3c4e468ef505b32
Opcode Fuzzy Hash: 2c4961fcd9ce9f2ebace08adb1d4c155da6c45e993988daf3ab1261def0afaf9
Instruction Fuzzy Hash: A81106B5800349DFDB10DF9AD845BDEFBF8EB49324F10881AD558A7240C375A944CFA1

Function 071D8BD8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 071D8C42

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d7bc5936f8e5df19dbf31de61188682399c809bf051e36ff5efad24692b5b0c2
Instruction ID: 1a08b1679ce1380f85122b9e28268e8c0c8ca2fce2200a43c351ea23cec690d7
Opcode Fuzzy Hash: d7bc5936f8e5df19dbf31de61188682399c809bf051e36ff5efad24692b5b0c2
Instruction Fuzzy Hash: 171146B1900349CFDB24CFAAC5447EEFBF5EF88224F24881AD519A7240C779A944CFA4

Function 071D8BE0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 071D8C42

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cea68ccd8c84d3954c78da816290591652ac9a1cccab17c2d09943d20413837d
Instruction ID: 46bb8aff752f28f61ad8803f43a52424e418b924124692576b12e3aa9387252f
Opcode Fuzzy Hash: cea68ccd8c84d3954c78da816290591652ac9a1cccab17c2d09943d20413837d
Instruction Fuzzy Hash: C91128B19003488FDB24DFAAC4447DEFBF5EF88624F24881AD519A7240CB79A944CFA4

Function 071DBF1C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 071DDD3D

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6f0437aba939ca713c95905b16aa9b452a34ee90bc12918a87b8f2b21a5d4e67
Instruction ID: 9ad46fa5de13496929b67b88f2763167e780d884c979106d08402ba69ca41972
Opcode Fuzzy Hash: 6f0437aba939ca713c95905b16aa9b452a34ee90bc12918a87b8f2b21a5d4e67
Instruction Fuzzy Hash: 3E1122B5800708DFCB10CF9AD884BDEBBF8EB48320F10841AE558A7240C3B9A944CFA4

Function 011FAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011FAFFE

Memory Dump Source

Source File: 00000000.00000002.1459715695.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c5c7a0c34b981b415f1993d06325d532f416dab15eee4914a263b8dfdcfafd6c
Instruction ID: 32ddae1ecebe2bbfa4e61fde697eb74f860a68f67c42ed6a9174e419e50e8249
Opcode Fuzzy Hash: c5c7a0c34b981b415f1993d06325d532f416dab15eee4914a263b8dfdcfafd6c
Instruction Fuzzy Hash: 6F1110B5C002498FDB24CF9AD444BDEFBF4EF88224F10841AD529A7210C379A545CFA5

Function 056EC219 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02b5eef1520752278d691fce8f2fab94512a541993ac80e982d8fa64f7a8cbb
Instruction ID: 09430034c8f1be77eb36d3bf3c39b46f4e8be14f1684d3dce0fca2764c766ef9
Opcode Fuzzy Hash: c02b5eef1520752278d691fce8f2fab94512a541993ac80e982d8fa64f7a8cbb
Instruction Fuzzy Hash: 2DE1202170331287CB5AAF7D88D052EB6A7AFD4640358D87C99169F3AADF78CC09C794

Function 056EC228 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a9a193b2e54b0b67727aa2058db81127a0645726d662566623caecd544685e
Instruction ID: c1548a889ce92188ee8bac242d7c0d62d14dd0af96c065d73df4e09e39c14c80
Opcode Fuzzy Hash: 37a9a193b2e54b0b67727aa2058db81127a0645726d662566623caecd544685e
Instruction Fuzzy Hash: 5DE12F2170331287CB5AAF7D88D052EB6A7AFD4640358D87C99169F3AADF78CC09C794

Function 056E3050 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e118b411e153174bbb0675902f4f85f7c2fd930572a4bbbdd00a0c83434ef889
Instruction ID: 623ff09946ceefa846b24cfe8735743711a4cd4ee0741f6cf8f4c7c1c7e86418
Opcode Fuzzy Hash: e118b411e153174bbb0675902f4f85f7c2fd930572a4bbbdd00a0c83434ef889
Instruction Fuzzy Hash: C5C15D70A007589FDB14DFA5C844BEEBBB5FF89300F14819AE849A7350EB709986CF91

Function 056E322C Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8daa7b24561d912efe0c663a190756e0e638b5c74dfc5a1a7224a28215db9ec
Instruction ID: 39df715df2175cf7141884f30cd0b915dce8b5ba8b39b4bc5b5d1f15140d1e4c
Opcode Fuzzy Hash: f8daa7b24561d912efe0c663a190756e0e638b5c74dfc5a1a7224a28215db9ec
Instruction Fuzzy Hash: CE911931E11209CFCF14DF68D894ADDB7B5FF59300F1086A9E909AB225EB30AA85CF50

Function 056E9ABF Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ae87cf269c39e28ea3ea527700366d44b9e9421f47813825cdef9a8dc00dc7
Instruction ID: 9c148b052ba1404811544331a4fad60e953f7d36ee10a5ed746eedb1e52e3e40
Opcode Fuzzy Hash: 16ae87cf269c39e28ea3ea527700366d44b9e9421f47813825cdef9a8dc00dc7
Instruction Fuzzy Hash: 42912C75A007589FDB14DF64C840BEEBBB1FF89700F10819AE849A7251EB70AA86CF51

Function 056E3030 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15007f556fc46468424b7bab61480061794f85ae6f44c820045d7255d13aeed
Instruction ID: f9a101fcbbc3b3d737ec92af0408cfd46d1226f56f71d3f80f879d05919f855c
Opcode Fuzzy Hash: c15007f556fc46468424b7bab61480061794f85ae6f44c820045d7255d13aeed
Instruction Fuzzy Hash: 4F51AC30B116158FDB08DBB9D858A6EBBEAFFC8750B158569E819DB3A0DF70DC018790

Function 056EE5C3 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c335307f7513e7d2f845c71c33f71d5168777b064c5e047e30df775654bfb224
Instruction ID: ba5c00b8c5b2a168c40c38975b0ba2978af24c6fab967c45a1715a4c7ea8c157
Opcode Fuzzy Hash: c335307f7513e7d2f845c71c33f71d5168777b064c5e047e30df775654bfb224
Instruction Fuzzy Hash: 9C610974A5320ACFCB00EFA8E5849AEBBF6FF09300F105569E805A7354DB369E49CB55

Function 056E8D58 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36432c44f42d1ac375931ff6e587e281b0b3f0b2d99c048a0f557b814b68daeb
Instruction ID: 3e694a4369b8c41b76712d694b5b2652471ccda84f1a62f012ef2505697b6bd6
Opcode Fuzzy Hash: 36432c44f42d1ac375931ff6e587e281b0b3f0b2d99c048a0f557b814b68daeb
Instruction Fuzzy Hash: BA613831A11709DFCB14DFA9C894A9DBBF2FF88310F208159E909AB361DB71AD85CB40

Function 056EE7F0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d78745a445e0db90c0f9747e5e9eb3ce672e6bcc622f2dbb5df0e8ef257a217
Instruction ID: 2083b931755b42ce17e1a65b6ee946886abcf350dcc0661d8cdf9b4989c14c6b
Opcode Fuzzy Hash: 5d78745a445e0db90c0f9747e5e9eb3ce672e6bcc622f2dbb5df0e8ef257a217
Instruction Fuzzy Hash: 2C51D0B4D06218CFDB54CFA5D8496EEBBBAFB8A300F14902AE416B3340DBB51946CF54

Function 056E9168 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00a7154ceebdc9192968284796793bb80dc4768edb9dd852407008684717539
Instruction ID: b09e51e5532c93b6e59691032be8d51b8a31fd4e7ce7c84cf46bcd3f8c8ed55e
Opcode Fuzzy Hash: f00a7154ceebdc9192968284796793bb80dc4768edb9dd852407008684717539
Instruction Fuzzy Hash: B4419A72A05348AFCB04DFA9D849A9EBFF9EF49210F14846AE805E7350D735A904CBA0

Function 056EE800 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b69ee9480ef09f70714810049d0ec66cdf22d6b31fc89f1067a932d3924c86
Instruction ID: f87c50e6b2593480a061f38ec261cbc356ca5b3e7312063b6ee567a5defd875a
Opcode Fuzzy Hash: a0b69ee9480ef09f70714810049d0ec66cdf22d6b31fc89f1067a932d3924c86
Instruction Fuzzy Hash: 6051D0B4D06218CFDB54CFA5D8496EEBBBAFB8A300F04902AE416B3340DBB51946CF54

Function 056E31C2 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b4665e1b74810d954b3afb450d5b8094edb0c99209fbe434330d2fc9abf69e
Instruction ID: 02d692c8f2ab6244a27643fd17a99e12839f404d7249d7bc14071c50940fefe4
Opcode Fuzzy Hash: 66b4665e1b74810d954b3afb450d5b8094edb0c99209fbe434330d2fc9abf69e
Instruction Fuzzy Hash: 1251D231D11209CFCF11DF68D884ADDBBB1FF49310F148299D849AB315EB30A948CB90

Function 056E69D8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 985f81b820b6cdf3acb7c0d9a1e8f8f9e34feb4f7f5ceba71ffac07ba9542f09
Instruction ID: d885ebccab9837caf573cc661666a705df30684827c1852c2f7531f57605ee52
Opcode Fuzzy Hash: 985f81b820b6cdf3acb7c0d9a1e8f8f9e34feb4f7f5ceba71ffac07ba9542f09
Instruction Fuzzy Hash: E6413C71A01209CFCB54DF68D88499AFBF5FF98310B14C66AD819EB345EB34E945CBA0

Function 056E7A48 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd20dc0f2543deef0e1af0f2129c0442234af5a40c5f9ed33d1e5046a3574d3
Instruction ID: d97895c9dffb41fdd5d0ae0789903793935d27897ad6cbb6fa8b0656ef03134f
Opcode Fuzzy Hash: ebd20dc0f2543deef0e1af0f2129c0442234af5a40c5f9ed33d1e5046a3574d3
Instruction Fuzzy Hash: 8C416D30B056058FDB05EB68C858AADBBF6EFC9210F14849AD005DB3A1DB74DD85CB92

Function 056EDFBC Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fd8cc2c6d66dd4b9ba11f115f4949c0104bd72472609ee5c5d99f29f22c22e
Instruction ID: 136134e0fb438e886ef84cb10323ba65d21dcecdc8e02612efb9759cb7a41b64
Opcode Fuzzy Hash: 83fd8cc2c6d66dd4b9ba11f115f4949c0104bd72472609ee5c5d99f29f22c22e
Instruction Fuzzy Hash: 11317E74B023089FDB19EB7498585BEBBF6EFC9210B54886EE81597380DF308D05CB51

Function 056E6411 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c23618e5ce549c4091e2c7679c01948448b90d7dca05c1ed1342b48d604f438
Instruction ID: 87fac7656e121c19e02b073bb8efcd4cdcfcb0ebec5778c7c2608beb2d17e828
Opcode Fuzzy Hash: 3c23618e5ce549c4091e2c7679c01948448b90d7dca05c1ed1342b48d604f438
Instruction Fuzzy Hash: 75417E31A11219CBCF10DF68D984ADDB7B5FF59300F1486A9E909AB355DB30AD89CF50

Function 056EDCAF Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17e2caa4608bec7f82979a474613145c1ecdc73b39310134aa14b3247bb79f8
Instruction ID: 0b275c44814aad1e942b28399e188d90ff5bd3867e41f551e3bf1b92a49f96ea
Opcode Fuzzy Hash: e17e2caa4608bec7f82979a474613145c1ecdc73b39310134aa14b3247bb79f8
Instruction Fuzzy Hash: 90315778D05209EFCB04DFA9D684AADBBF5FB89300F1080A9D814B3360EB749A55CF91

Function 056EED88 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ae2dc4549ba0b510ff7178da9452b3d074dfc9fd9cc10bb3bb9a8949d5f0fd
Instruction ID: 26e85993633874b305b87b2830b3d07d9a82b3c23a19a321ffa4faea373c0e25
Opcode Fuzzy Hash: 35ae2dc4549ba0b510ff7178da9452b3d074dfc9fd9cc10bb3bb9a8949d5f0fd
Instruction Fuzzy Hash: 14312375E06209DFCB04DFA9E8846EEBBFABB89310F10842AE415B7350DB725D45CB94

Function 056EED98 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c762eb710b5ef2865ff983144bc3917504811438ad1b2b650847bdf69f2bab
Instruction ID: fef67369d3ec93b290f6be54d3e18afc9ddc27e7cfe09e73b6ba90206d24917e
Opcode Fuzzy Hash: 72c762eb710b5ef2865ff983144bc3917504811438ad1b2b650847bdf69f2bab
Instruction Fuzzy Hash: A4311374E06218DFDB04DFA9E484AEEBBBABF89310F109429E415B7350DB725D41CB54

Function 056E8AD8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc90e51cb909c93a077e179430ac0ed072b36c202f36e4b6dbaa85970800578
Instruction ID: 16960aa3f4d7dddd38ec6bdb71a7c0d5756cdd38420b1ee7243049e12ca3b862
Opcode Fuzzy Hash: 2bc90e51cb909c93a077e179430ac0ed072b36c202f36e4b6dbaa85970800578
Instruction Fuzzy Hash: 7C2107B2901318DFD714CF69D844B9ABBF5FF45360F24C669E9159B390DB719802CB90

Function 056E6E60 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac98f2d877f2b9fb2ff161964a66d84f5c41174b6e15318b227afc8783f39899
Instruction ID: b3d8ee334c2989122e6b9f0d7b77ad9ebc3c9b2590448d91138640f4c11707c0
Opcode Fuzzy Hash: ac98f2d877f2b9fb2ff161964a66d84f5c41174b6e15318b227afc8783f39899
Instruction Fuzzy Hash: C0316B35A063189FCB04DFA9E844ADDBBB2BF88310F0484AAE405AB361D730E945CB64

Function 056E3268 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686ef29f4bc54c59502519e2bcad2e9fdb807af8d9daad13c4696dcf6c6b5ee6
Instruction ID: fbc3bc9988757107bab38eb1a4cbbffe56bb98cd58661c8c1a553e5fb109e2a8
Opcode Fuzzy Hash: 686ef29f4bc54c59502519e2bcad2e9fdb807af8d9daad13c4696dcf6c6b5ee6
Instruction Fuzzy Hash: F221A0735073908FE3128B7CCC51BDA3BA1FF82651F04095AC4888B352DA58D946C7A5

Function 056EB021 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ef524116f57cb233b1524780d4e31ee9481ecf29ea1748249e90fc53b1c22e
Instruction ID: 2b2b0921801ad15577632477fb65f95f7fd362fcd6501013b47236c1b1a7841b
Opcode Fuzzy Hash: 92ef524116f57cb233b1524780d4e31ee9481ecf29ea1748249e90fc53b1c22e
Instruction Fuzzy Hash: 49216034B016098FCB00EB68C849AAEBBF6EF89710F05415AE406DB371DB70DD45CB91

Function 0115D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459348359.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1735d6f05d7f2091a9a7fe6f4a8a0b31264f0c7d6f3c0ecdfa718167faf6c0e
Instruction ID: 0c5ffe010eabdaa296ec0934801a5e2cb57d458284b6f3f2a5a9607f700d48eb
Opcode Fuzzy Hash: c1735d6f05d7f2091a9a7fe6f4a8a0b31264f0c7d6f3c0ecdfa718167faf6c0e
Instruction Fuzzy Hash: 3521F1B1510344DFDF59DF94E9C0B26BF75FB88218F20C569EC090A256C336D456CBA2

Function 0116D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459411597.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3666edeac18893a4ce440840ac7f70501fd1ffd325e2ba82756e9a0809b874fc
Instruction ID: c90eff962978c9a27729fe167f416c02d352dae192e178b02f55641b72f18f5c
Opcode Fuzzy Hash: 3666edeac18893a4ce440840ac7f70501fd1ffd325e2ba82756e9a0809b874fc
Instruction Fuzzy Hash: 1921F5B1604344EFDF19DF94E9C0B25BB69FB84324F24C56DE8894B252C33BD456CA62

Function 0116D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459411597.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b06f3b55b0db99f1fc887ad15b770891f6133178550ed6b0bbd0b43458b5519
Instruction ID: da5710f366b52ff6f2be36e59a99206e1af379a8d8ad4253fa726699d4979d51
Opcode Fuzzy Hash: 8b06f3b55b0db99f1fc887ad15b770891f6133178550ed6b0bbd0b43458b5519
Instruction Fuzzy Hash: 4D210371604340DFDF19DF54E880B16BB69FB84214F20C569D8890B242C33BD417CA62

Function 056E7FE8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e329d19a341a599ff07795fef85efe27b8c195dbb79adfc81ea6f164fe81c6d
Instruction ID: 6dce7b65f557943172ef644c0761a85c8607813756c90a89e2227ade0aab1d3a
Opcode Fuzzy Hash: 9e329d19a341a599ff07795fef85efe27b8c195dbb79adfc81ea6f164fe81c6d
Instruction Fuzzy Hash: 2911F8353125208FCB29BB78D41866D3297AFC9645B1444BDD14BCB3B0DE36DC42C799

Function 056E876C Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75575216b3c6501862d9667578ec5807ae8d648d057a5fd0cfbfa82e339182d
Instruction ID: a0e8640b7783e1724b9ab721d6920ae24a87a5b932de3b1759cf8a64a158619e
Opcode Fuzzy Hash: a75575216b3c6501862d9667578ec5807ae8d648d057a5fd0cfbfa82e339182d
Instruction Fuzzy Hash: 5231C0B0C12318DFDB20DF9AC984B8EBBF5BB48714F24801AE804BB291C7B55845CFA4

Function 056E8559 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cdb5098f9d73c798f60dc3100e0e062db249511b991969acd6fc0b024666e7e
Instruction ID: b80e015694d4e5f11c2048ff8a0e1d0cd8c78f51fc6103205cc383f56be8066d
Opcode Fuzzy Hash: 9cdb5098f9d73c798f60dc3100e0e062db249511b991969acd6fc0b024666e7e
Instruction Fuzzy Hash: A511BC71B016259FCB19DB69D888D2EBBFAFF8975070584A9E805DB360EE70DC01CB90

Function 056E3354 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976f717bd59af0ab3218de9b3fc34c7844d45d9fe8a4fa2d6f2429c88033087d
Instruction ID: e6a99a78b041a1ca32ed96d90c806e9927ba3b93c55d559efced7059ffa0a789
Opcode Fuzzy Hash: 976f717bd59af0ab3218de9b3fc34c7844d45d9fe8a4fa2d6f2429c88033087d
Instruction Fuzzy Hash: DE31DFB0D12358DFDB60DF9AC588B9EBBF5BB48714F24801AE805BB290C7B55845CFA4

Function 056EF4C8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccace845b9634866660289e98faf1908c6d9f5e4413cfaff4f46bcf0849aafdb
Instruction ID: 55ce4caa90688d0c793a74ff1c19bb7a7342e09dbec4f1e4870fda2aba608ad8
Opcode Fuzzy Hash: ccace845b9634866660289e98faf1908c6d9f5e4413cfaff4f46bcf0849aafdb
Instruction Fuzzy Hash: 0811A3717026595BCB11DE69CC859EFFBBAEFE4610B14852AE905D3240DA30D906C7A2

Function 056E69C8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6292a8dab949fac585248def99fc940950cae3d421322ed4a1a988a53fb95567
Instruction ID: daaf7729b5f6cc5d1d337230ced3727d864e06a305692d25dbb08d88dcd57ebf
Opcode Fuzzy Hash: 6292a8dab949fac585248def99fc940950cae3d421322ed4a1a988a53fb95567
Instruction Fuzzy Hash: EE21E771E00215DFCB10DF68DC44A9BBBB5FF94320B14C659D8099B249EB70E941CBA0

Function 056EDFAE Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03b80c0c4d9ff1b3d3f07cdc393f8d0f361fbf4dc4e36d39f3d393635c18b8e
Instruction ID: 38d614ff9643c0bc9d4b6032f0384a9b4d11cc0ab239e7545cae90bbe6a2fda7
Opcode Fuzzy Hash: d03b80c0c4d9ff1b3d3f07cdc393f8d0f361fbf4dc4e36d39f3d393635c18b8e
Instruction Fuzzy Hash: E911E371B023154B8B16DB798C548BFB7F7FFC4260714492DE468A7340EF3089058765

Function 0116D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459411597.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19dce04b7e0fd6b073ea31a689decd77a36c6b0c9190dd9ad4bfc0d46d3edcf
Instruction ID: a4ff6a899baa16507b6e47eefd5da5da90627d2559b58acdd2a746cca9b96f0d
Opcode Fuzzy Hash: b19dce04b7e0fd6b073ea31a689decd77a36c6b0c9190dd9ad4bfc0d46d3edcf
Instruction Fuzzy Hash: EE2180755093808FCB06CF64D994B15BF71EB46214F28C5DAD8898B6A7C33B981ACB62

Function 056EF007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f426b4fde7c8b82b61f4f4074c685c56c9bc2f4ea1a47d79a1ae97546ca880b
Instruction ID: d2f4ca0909959b7e97b39315952d99bbcfe7b7d9d390e9b06ddcbd0f8afdf2c3
Opcode Fuzzy Hash: 0f426b4fde7c8b82b61f4f4074c685c56c9bc2f4ea1a47d79a1ae97546ca880b
Instruction Fuzzy Hash: 87118271B027155B8B15EA798C449BFB7FBEFC4160B65892DD424D7340EF309D058764

Function 056EEF38 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa24502060ec152ad778356674920a3186798c90f05e09e4aea8dccbbd8e940d
Instruction ID: 64903a5e831f203a25fb96d8e9ff47f72d8e251bb38fe1f8b0e69361665c11ec
Opcode Fuzzy Hash: aa24502060ec152ad778356674920a3186798c90f05e09e4aea8dccbbd8e940d
Instruction Fuzzy Hash: 52115E71B012198BCB14EBB899105FFBBFABF88710B104069D505F7340EB329D01CBA1

Function 056E67A0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12eb040edd6eb438f7a17ead31ed581d75ac3b0688a17a63a6685be1366b8dd2
Instruction ID: 677970552fa7330c3d6803f19a3e0d3523fa56fd522d942cb059deb4ada9266a
Opcode Fuzzy Hash: 12eb040edd6eb438f7a17ead31ed581d75ac3b0688a17a63a6685be1366b8dd2
Instruction Fuzzy Hash: D3114271E0021A9FCB44DFA8D4516AEBBF5FF49350F10815AE919E7385EB309A04CBD1

Function 056ED3E1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d469bb56b13b9e927a9cff487b038a3291983500ff9a255b0455b2f13bf3aaeb
Instruction ID: 9e8a43a3676fd7d1c3b47e1b64d597375f4a0fa049e9668833a49ef3497aff06
Opcode Fuzzy Hash: d469bb56b13b9e927a9cff487b038a3291983500ff9a255b0455b2f13bf3aaeb
Instruction Fuzzy Hash: 57117C327056148FCB29AB38E84866EB7B6EBC6715B14842EE106C7790CF35DC42CB50

Function 0115D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459348359.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
Instruction ID: e106c26803871605b2812a7ad1fd4706940445acd8791ecdb38311350013456c
Opcode Fuzzy Hash: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
Instruction Fuzzy Hash: 45119D76504280CFCF16CF54E5C4B16BF72FB84218F2486A9DC490B656C336D45ACBA2

Function 056E91A0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74dd3fd8eaa48cf1d367f4fed334249e434728a648bc448f6dc2865b35ebebe1
Instruction ID: a2c8ad09ffbc77a58e76ceaa268f24cc9851ea67d096ef2db25b3ee5ace162f8
Opcode Fuzzy Hash: 74dd3fd8eaa48cf1d367f4fed334249e434728a648bc448f6dc2865b35ebebe1
Instruction Fuzzy Hash: B821D6B5901749DFCB10CF9AD884ADEBBF5FB48314F10841AE919A7310C375A554CFA5

Function 0116D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459411597.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction ID: 2cd2b62345e27f259c76fb2928a8695e5b8c2ffeedaafe40d13c614296937de0
Opcode Fuzzy Hash: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction Fuzzy Hash: 7711BBB5604280DFCB16CF54D5C4B15BFA2FB84224F28C6ADDC894B696C33BD45ACB62

Function 056E678F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d9db8a4641642dd30262d7aaf9314ac6c175d0d335e926035561e3e1261606
Instruction ID: 12dcdf521af03fa10d9b4546dd60fc3dd8e5de95b2b3ffff361328dd60441b72
Opcode Fuzzy Hash: 50d9db8a4641642dd30262d7aaf9314ac6c175d0d335e926035561e3e1261606
Instruction Fuzzy Hash: 13110DB1E0021A9FCB40DFA9D8517AEBBF0FF49700F14815AD859E7385E630AA41CBD1

Function 056ED1A0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b39c76bd772e5ac97cc650599cf76f39aa41755fee0e0b050a2a784554412e
Instruction ID: 1483250da18e3a64acfe8099723cf998935fd00907be34f8024dfa938cbe0a6c
Opcode Fuzzy Hash: 57b39c76bd772e5ac97cc650599cf76f39aa41755fee0e0b050a2a784554412e
Instruction Fuzzy Hash: 5901D4353026098FCB289A6DD455E6AB3B2BFC5650B15807EEA46CB724EA31EC42C790

Function 056E83E8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e704b039c025a201bb134b0b3f95563d556f3d6b885b51bad57e826d6f0cbfca
Instruction ID: dd274339cd6296f009454d3abded5bddac38e30bf79ef9f2f1145279760d4b26
Opcode Fuzzy Hash: e704b039c025a201bb134b0b3f95563d556f3d6b885b51bad57e826d6f0cbfca
Instruction Fuzzy Hash: 94116675A002189BDB10EBA4C8447BFB7FAFF88300F01885DD919A7390E7789A05CBA1

Function 056E83F8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94fac26c2da3e4a1879f9f7bff9cb95e245d225244b92b5b7c641ec7ba99b0b
Instruction ID: 9dbc3e054ba3c7467852b51b10cc0d6361486dbb1144088d8761844d1e3913e5
Opcode Fuzzy Hash: a94fac26c2da3e4a1879f9f7bff9cb95e245d225244b92b5b7c641ec7ba99b0b
Instruction Fuzzy Hash: 27115775A012189BDB10EBA4C844BBFB7BAFFC8700F00481CD919A7350EB789A41CBA1

Function 056E7390 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b32b3e81ac12ddcbdab810b35e04e048abd484e1fbf7dd9d3de5265cc2c940
Instruction ID: 1d4884d704b6cff88cd1e45568ff7ef830877e69baba28d3fd5eb2810a724aa4
Opcode Fuzzy Hash: 56b32b3e81ac12ddcbdab810b35e04e048abd484e1fbf7dd9d3de5265cc2c940
Instruction Fuzzy Hash: 49014736A042089BCB04F764D8449EEF7B9EFCA310F008269E50597340DF309D42C7E1

Function 0115D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459348359.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a3e0606698f7ddae2d6d641b0b25591ae5aa4b04fde0da0ec7e4ef8327faea
Instruction ID: c53266a0ca41e3397a69970ef8ecbccff724c50176ed25e678bcdbf9f720fe8a
Opcode Fuzzy Hash: 76a3e0606698f7ddae2d6d641b0b25591ae5aa4b04fde0da0ec7e4ef8327faea
Instruction Fuzzy Hash: 6B012B71004B80DFFB588F95DD84B67FB98EF81628F08C55AED290B282D3799400CB72

Function 056E6391 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac6daa379307f39e353e99a6596f4882ee3439e9655cbce8a2711bb5f100704
Instruction ID: 159cb1c4b7be5541bcb025769aa5936dbbc4c9aee54195dd4f1d6a037e3948b4
Opcode Fuzzy Hash: fac6daa379307f39e353e99a6596f4882ee3439e9655cbce8a2711bb5f100704
Instruction Fuzzy Hash: F7119CB5D1061DAFCB40EFA8D5455EEBBF5EF48200F10865AE858B7350E7709A50CBA1

Function 056ED1B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b121e81784b35304b408da3551bb48fc78f2861bb4754c88fd75a3683d73825e
Instruction ID: 48f382a83a7b121d7643a7de57d89e5a950b1caa8f8e934d41f16eb29f0d9d6b
Opcode Fuzzy Hash: b121e81784b35304b408da3551bb48fc78f2861bb4754c88fd75a3683d73825e
Instruction Fuzzy Hash: 10F044353025058FCB28DA69D464D6A73F7BFC4650715806EEA578B764EF31EC01C790

Function 056E73A0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef77f75b8919a515a9dd918dd24cb9222da606f0d45b9cbd165476be5b9f260c
Instruction ID: d3ceb1c1a647d6c4191be8f8933612460aafb40d3a211ac6d6e049f381c24f34
Opcode Fuzzy Hash: ef77f75b8919a515a9dd918dd24cb9222da606f0d45b9cbd165476be5b9f260c
Instruction Fuzzy Hash: E101D136A006089BCB04EA64E8448EEF7B9EFCA310F108269E91567310EB709E41CBE1

Function 056E9FA7 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d3b0a800b3c1d87803d098f451c893aebb891180032c6a3f3e5d06bc783c53
Instruction ID: 68153dc97f17bb57301514ac9fc643bf88fd7d37e6f6a074a058cc0df5941326
Opcode Fuzzy Hash: 79d3b0a800b3c1d87803d098f451c893aebb891180032c6a3f3e5d06bc783c53
Instruction Fuzzy Hash: 88F03676702108AFDF05DA94DD45EFA77EEEF54218F148069E404D7315E631EE05D750

Function 056EA943 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e88638544aa40903f7fb64f311181af68a748b2cae8d6c17618352bfb0d9f7
Instruction ID: 3ed248daf0647b0737cf651ff8a41e30e755eca1817bbdc93969b5681143df40
Opcode Fuzzy Hash: 65e88638544aa40903f7fb64f311181af68a748b2cae8d6c17618352bfb0d9f7
Instruction Fuzzy Hash: 9DF0272235751417CF3D71B6885423FB2574FC1B10B188A2D910ACB384CD69C803C2C9

Function 056E63A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e74469c2dd22456593418fe3788bfd1a19efa2670d500dcf5a86b47a27e01c
Instruction ID: 6a038a62113cb7f3c14383b435b30f2059d59d4f44bda44d8f87cfaa7b097037
Opcode Fuzzy Hash: 46e74469c2dd22456593418fe3788bfd1a19efa2670d500dcf5a86b47a27e01c
Instruction Fuzzy Hash: C8019775D10619AFCB40EFA8C5449EEBBF4EF48200F10855AE858B7310E7709A50CBA1

Function 056E7A78 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab692883efe750ea7ea9096c42471a5e74df4f6711006d73f8eef83d0d60656
Instruction ID: fc0c95c407e620ce3e1ccf05972c713fe4d7c8fffe546bbc784824c7bedef25c
Opcode Fuzzy Hash: 0ab692883efe750ea7ea9096c42471a5e74df4f6711006d73f8eef83d0d60656
Instruction Fuzzy Hash: E5F0A771367514178F3D72BA589453F72575FC1B10715892D511A8B394CE69D803C2DA

Function 0115D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459348359.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c9d9918b3176a71d8962fd029835485c30dd6e3190abf59633e3ea619535c1
Instruction ID: 9939a5f0b0810c5fbd4136fd6f78da2c7c34b46d73f39de34ac1e6435ece997a
Opcode Fuzzy Hash: 89c9d9918b3176a71d8962fd029835485c30dd6e3190abf59633e3ea619535c1
Instruction Fuzzy Hash: 9AF06271405784DEFB148E5ADC88B62FF98EB41638F18C45AED185B286C3799844CBB1

Function 056EDC48 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07dc8f047b86a773efafed7486e029f6984ff82e78096153d3309376a7f9d375
Instruction ID: 34476c5b393bb209fd207258e6be6d5e5206b4ccc9e6573c40a2383b09325c9d
Opcode Fuzzy Hash: 07dc8f047b86a773efafed7486e029f6984ff82e78096153d3309376a7f9d375
Instruction Fuzzy Hash: 9FF04FB9D45208EFCB44DF78E64569DBBF5FB49300F1091A9D814A3355E7349901CF44

Function 056E7371 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51adb94c7db8ec70671ee6c964727ac7d43e282c57f8c793e16d827dc3fe9d3
Instruction ID: 1738b6333793667daae0665db550729304daae1356418f11edc660a9ceef0aef
Opcode Fuzzy Hash: b51adb94c7db8ec70671ee6c964727ac7d43e282c57f8c793e16d827dc3fe9d3
Instruction Fuzzy Hash: 51F0273634160487CB14E660E4456EDF3B6FBC9210F508279CA0287740DB346D02C7B5

Function 056E8B2F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6396c827efe13b33aab60301caf7c655e5c840709a95fb63173388ed98923a6c
Instruction ID: adee4216a67cafaa48d42a84a4fb7f8f2e95bc67fd10160b9d029c44fca81ea1
Opcode Fuzzy Hash: 6396c827efe13b33aab60301caf7c655e5c840709a95fb63173388ed98923a6c
Instruction Fuzzy Hash: B001ECB0802219DEDB15CF65C4483EEBBB1FF44350F148629E425AB290D7744A85CB91

Function 056E8BCB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f1467aee2da8391eff0e7ce4f31a489a99fc92d631ec07dfcc8de184f54abd
Instruction ID: f3b02a9b862a81dda6c3ebc64fc3e825d95a1faf0e2df8156d70e3a6d4b4173b
Opcode Fuzzy Hash: c3f1467aee2da8391eff0e7ce4f31a489a99fc92d631ec07dfcc8de184f54abd
Instruction Fuzzy Hash: CBF082727006285FD304D6AADC84E2BBBEDFBC93B4B958079F518D7350D9319C01C6A0

Function 056E9FF0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4167ef740ddb5070a59f5a70db1052accce04956046f748f6968bc4cd7bf774
Instruction ID: 41bc58e50cea791a1db28774f44be525c3c2f2c7ac334d6fc3d5d24f32bb1f86
Opcode Fuzzy Hash: d4167ef740ddb5070a59f5a70db1052accce04956046f748f6968bc4cd7bf774
Instruction Fuzzy Hash: 7FF05E72601118AFDF04DF54D845A9ABBEAEF05224F1481AAE908D7360EA32E941C754

Function 056E8B38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20d34caf6a199d9acf1dc6332d37a336e589861b036635e7a0a3e178f10652a
Instruction ID: 02142e5bde52b5f430197a488a166b402a01c5961f971904e60e0bcef295cbbc
Opcode Fuzzy Hash: f20d34caf6a199d9acf1dc6332d37a336e589861b036635e7a0a3e178f10652a
Instruction Fuzzy Hash: 6501FBB0802219DFDB14CFAAC4083AEBBF5FF48360F148625E825AB290D7744A81CF90

Function 056E911C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa34b7cec4516fb668519c687eb671351ec8e75e6fba1aa09c44170265980343
Instruction ID: 2c3494b3a77fc7714fdc35515b14fef393660bd931e20e80970c08fa81f30493
Opcode Fuzzy Hash: aa34b7cec4516fb668519c687eb671351ec8e75e6fba1aa09c44170265980343
Instruction Fuzzy Hash: 78F08231601108AF9F08DF98DC88DAE7BEAFF45214B10806AA408D7210EA71E900C758

Function 056E80F9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6debbc0ca3ccf5b90e75d3ad5d764d09b1ad30a2330d348360675520dda32f40
Instruction ID: d200800fe9a5bad466e44229c846f7f76f5df8179ea2d11cef76be2d7c811c5c
Opcode Fuzzy Hash: 6debbc0ca3ccf5b90e75d3ad5d764d09b1ad30a2330d348360675520dda32f40
Instruction Fuzzy Hash: 68F0653B2C2615CBC3319A74D485BE573A5EF44621F0444B5E14987BA1C666E853D690

Function 056ED3F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68d76b6780c3271c4454dba81ec6e75fd3cf798eac966240c35036a58428d88
Instruction ID: abc1b6f2111549bb7b12411282b12d06b75d311761e93592203606aa60f5fcf1
Opcode Fuzzy Hash: d68d76b6780c3271c4454dba81ec6e75fd3cf798eac966240c35036a58428d88
Instruction Fuzzy Hash: E3F05E31B003149FCB29AB79E8185AEB7FAEBC5715F00882EE506C7340CF34A846DB90

Function 056E8BD8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2efe066f96467170cbe114085a798b8ac04a1828fa68c10ccc5f762ba1780
Instruction ID: c0ede9068f7771a996dcab637d4b148ae0f6830b5b0f18854ce2bb34830d1962
Opcode Fuzzy Hash: 0cf2efe066f96467170cbe114085a798b8ac04a1828fa68c10ccc5f762ba1780
Instruction Fuzzy Hash: 94E030727001245F5304966AD884D6BB7EDFBCC6743518079F518D7310D9319C00C6A0

Function 056E8128 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5cccac2b7178f44e3c3ec1834a198ef4f96283c052c4ca3a2dc302fbb905d2
Instruction ID: 11130977a4b1bfa169c0f83dd5527179e69e8f7abab67f8d7f169a0a8a49e971
Opcode Fuzzy Hash: ec5cccac2b7178f44e3c3ec1834a198ef4f96283c052c4ca3a2dc302fbb905d2
Instruction Fuzzy Hash: 7CF06536352704CBE315A678C841BD7B3BAEFC5750F54482DD85A97741CBB6EC06C6A0

Function 056EA907 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5d8c6ae5513e0439a987442ef22e06ab45fa724267713c9102507701e03bac
Instruction ID: f16758e0081370284300a5af6974cd2dc655807210db224bf47500a9efd78bd5
Opcode Fuzzy Hash: 0d5d8c6ae5513e0439a987442ef22e06ab45fa724267713c9102507701e03bac
Instruction Fuzzy Hash: 1EE092B776355506DB2A65F5AD1837F22835FE0B26F09892D815ACABC0EE25C002C2A0

Function 056E81C8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4563d34017278260ea88fa2354b4f91bebfd0d59d2d68e6d4a9328cf43e9c952
Instruction ID: 2c977dac2ce8efcbd9657d6907f9aa629fc9d50f59f2e4264deae88746e09743
Opcode Fuzzy Hash: 4563d34017278260ea88fa2354b4f91bebfd0d59d2d68e6d4a9328cf43e9c952
Instruction Fuzzy Hash: C0E0DF23B639A407CE1461BCA81B37E269FDBC9A21F95003EE50AC3BC1CD558D02C3E9

Function 056EDC58 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ec89ed5f3ef7ceb7d30b7893681e0508544fa292acb66afc6d70a781283a54
Instruction ID: e51deafd03e21a3ce869237b97b677ca6dd6e0d2ba04a4c721b1f9137fea62dc
Opcode Fuzzy Hash: b8ec89ed5f3ef7ceb7d30b7893681e0508544fa292acb66afc6d70a781283a54
Instruction Fuzzy Hash: C4F0DAB8D15208EFCB44EFB9E64899DBBF5FB49300F1081A9D819A3354E7709A50CF41

Function 056EA878 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673700bd89c46118abf8e56e27fd8877e51967a4c9b89a9f61854b7e543e8932
Instruction ID: 999ca5aecff54bdc306074f65be4580eb1252ebd2cebee709ea0998f33b2bcaf
Opcode Fuzzy Hash: 673700bd89c46118abf8e56e27fd8877e51967a4c9b89a9f61854b7e543e8932
Instruction Fuzzy Hash: 3EF0B7B0E1520A9FDB84DFA9D845AAEBBF4BB48300F1085AA9918E7240E7749641CB90

Function 056EA86B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f79f89cdfbfeb460ad6c5c5b96ded2edbde826204c7fa58c8fdd1d321a4fa7
Instruction ID: 167dc480e90653ccee3daa5da3dcdde5c96bfd680e2b7ff2bdbbe07d9096b6c0
Opcode Fuzzy Hash: 53f79f89cdfbfeb460ad6c5c5b96ded2edbde826204c7fa58c8fdd1d321a4fa7
Instruction Fuzzy Hash: 26F0E2B4E1520A9FEB44DFA8C8496AEBFF1BB08300F15886A9504E7240D7748A41DB90

Function 056E32DC Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0713a439da4ac51e2b96acaee8c76eebb899ec3709e4c735aa60dc780835f0
Instruction ID: 92c2382c06bb78b1e21e5d3ad9c859feac541f065425b2578c6827240575d46f
Opcode Fuzzy Hash: bb0713a439da4ac51e2b96acaee8c76eebb899ec3709e4c735aa60dc780835f0
Instruction Fuzzy Hash: 0BE06D31393300CBE215A668C854FDBB3AAFFC9751F40082DD45A87340CBB6EC0AC6A1

Function 056EED38 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596fd517608395eaef9c9c8804b58f74993d554f4f3fe337b1dbecdcc9b535d6
Instruction ID: 59240be299f12678e7f2dddc2020a66a308ae9d921936660cdfeb0fe984be6b9
Opcode Fuzzy Hash: 596fd517608395eaef9c9c8804b58f74993d554f4f3fe337b1dbecdcc9b535d6
Instruction Fuzzy Hash: 4FE03935D16208EFCB10DBA4E44679CBBF4EB4A200F1081A99815A3B40D6745A41DB40

Function 056EFDF3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f638f539c843bb73788225a8788b328e4dc15771a81b55c8033b7fca06a26e
Instruction ID: 1c9d22b3762e8fc0ff807435c17e7cb7c2608b5aa2099e8356063cebc22a45fd
Opcode Fuzzy Hash: f9f638f539c843bb73788225a8788b328e4dc15771a81b55c8033b7fca06a26e
Instruction Fuzzy Hash: 18E06D30D06208AFCB54DFB4E94539CFBF4EB4A300F1081AA9804E3340D6705A44DF40

Function 056E81D8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82ecf6fb5a31a835eef7126b56247299eb70b7254c08262c71d5ebeeb2c2e2b
Instruction ID: 35121145b6c0b14eaa5bf0782f25116b61c30965a8b84f6213718aae0d385045
Opcode Fuzzy Hash: c82ecf6fb5a31a835eef7126b56247299eb70b7254c08262c71d5ebeeb2c2e2b
Instruction Fuzzy Hash: F0E08622B275A00BC51432BC741E56E299FDBC6651F51003EE50AC77C0CD644D02C3E6

Function 056EE9C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c656e509c8b2f0912ab9aab50c85bf0822820859b511d7d3de28301a0e0080
Instruction ID: c6821f5bc23334a52c6ab4d35919b3f9dd1d4111188433a984ec4e4cccaa753e
Opcode Fuzzy Hash: 55c656e509c8b2f0912ab9aab50c85bf0822820859b511d7d3de28301a0e0080
Instruction Fuzzy Hash: 7AD05E3244B20CABDB54C675C843BADB7FDE703A40F281A68A80563AA1DB766E05D354

Function 056EED48 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc13e609368a2484d24d9d27ac35c53d91a8a74fc5c352ccc6b650d0af61aeee
Instruction ID: a397758c896906e6faf460ff4b9b54c7e9c4d73a4369614c90e7e5116551ebf0
Opcode Fuzzy Hash: bc13e609368a2484d24d9d27ac35c53d91a8a74fc5c352ccc6b650d0af61aeee
Instruction Fuzzy Hash: D1E01274D1A208EFCB64DFA8E4456ACBBF8AB8A300F1080AA9809A3300DA745A44DF40

Function 056E6E51 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715739f02e5dc33ae63fb949f56d16d8a178005b09500846c4c9a1f32c43f295
Instruction ID: f67e9bc31e38af82e07319ac174e87cb5e1aae8b84209abd259e03905ab5f283
Opcode Fuzzy Hash: 715739f02e5dc33ae63fb949f56d16d8a178005b09500846c4c9a1f32c43f295
Instruction Fuzzy Hash: 5DE08C3A502609DFCB14AF60D845E48BBB6FB00705F19C165E9054F775C732E85ACF54

Function 056EFE00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb2d42614fc69353b29b480e4809dd27095140de09c724a99ef54aee680214e
Instruction ID: a68887c1db02681c19e071e1286a364290d35750c947f7ad944757fa4f4d8881
Opcode Fuzzy Hash: deb2d42614fc69353b29b480e4809dd27095140de09c724a99ef54aee680214e
Instruction Fuzzy Hash: 55E04F70D16248EFCB54DFB9E44569CFBF4EB4A300F1091AAD808A3300E7705A54DF40

Function 056E7A14 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e905c9177873387c94c29722a0043467def6a92f5b6a27c10fb31a1c92f183f
Instruction ID: 952fa66e8e2b009a368f40853fc42fcf2a9955d7ba6afe74f2c1567a35a4b910
Opcode Fuzzy Hash: 5e905c9177873387c94c29722a0043467def6a92f5b6a27c10fb31a1c92f183f
Instruction Fuzzy Hash: 65D02B2034B3601BC604522D3C99396BECFAF55220F40041EF14D83301CE565804835B

Function 056EE7B3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7fc037f7f57fd4957fe2c92834023ed3cb416d2479a8c04d093de11605c45fe
Instruction ID: 093bc784c5c2982c8ecc8ffaa719dcc26c3bb533d82e950a4c2463818814cda3
Opcode Fuzzy Hash: d7fc037f7f57fd4957fe2c92834023ed3cb416d2479a8c04d093de11605c45fe
Instruction Fuzzy Hash: B4E0C23481A20CEFCB24DFA0D8456ACBFB9FB07311F108169E80423740CB716EA5EB84

Function 056EE7B8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a070e986ecc953622e473affaf02910b6ea793b33fc5451823373cacae7d10
Instruction ID: 77bc1d1a4410bda3a1ceb0bac948de786e4fb361f22fa0e33bb748b9635b8f7a
Opcode Fuzzy Hash: b0a070e986ecc953622e473affaf02910b6ea793b33fc5451823373cacae7d10
Instruction Fuzzy Hash: 09E0C23481A20CEFCB24DFA0D4055ACBF79EB07311F108069E80423740CB711EA5EB84

Function 056EE9D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef361a5ebfc95033d1c4d221ed12e41e51def848323a38d51e03ae0f577326b
Instruction ID: 687447bef11ee222a5811ba2161dc30518ddc64df00f222a3b3cdf5252268934
Opcode Fuzzy Hash: fef361a5ebfc95033d1c4d221ed12e41e51def848323a38d51e03ae0f577326b
Instruction Fuzzy Hash: ACD0223044F20CDFCB54CAB9C402B7DB7EDE703600F101498A408232618F721D00E254

Function 056EDFD4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24fa87704eb57d3cafac75cc5a8e519d8bd9350704cc178265c55207e5e9f161
Instruction ID: 07c08ba9193983681dc543198758ee984dbd313203374296d6185820f8061bbe
Opcode Fuzzy Hash: 24fa87704eb57d3cafac75cc5a8e519d8bd9350704cc178265c55207e5e9f161
Instruction Fuzzy Hash: 1BC0807F187A80B6C5029B748F42BDDED1356F3B10319C755A34C51E62C52CD813D215

Function 056EA918 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9296fe41c4a1cd56810d2949c1d90a6b56101f5081020890588c18286a42b790
Instruction ID: 24887cb8db00c60509f0404ec6aaa40503cd14cac2d6f34cdac0f290510262e8
Opcode Fuzzy Hash: 9296fe41c4a1cd56810d2949c1d90a6b56101f5081020890588c18286a42b790
Instruction Fuzzy Hash: CDD012332152085E4B51EED5F804C6677DDBB247007418422E508CB520E621E424DB51

Function 056EF4A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 645d9e78dd8beea9f9d91ca16b712fc289bceee07c40bf2b7aa09a9d2a163398
Instruction ID: a64adfdf1cca22356f692521e0b04ac2506c833bd3fdf09003a7bf939935d042
Opcode Fuzzy Hash: 645d9e78dd8beea9f9d91ca16b712fc289bceee07c40bf2b7aa09a9d2a163398
Instruction Fuzzy Hash: 7DC01260145B856BD7078A304C06DCA3A359AA3B00346C0567D05DA0D6C2754555C633

Function 056EEF00 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b51cac815c347262edd74a13760c40381f2a5d1ee8d74180bf4239feed860f
Instruction ID: 08b852aea64a84050733f5d354c0be2b7bdda517fc8d8ef8b15fbb658fab822b
Opcode Fuzzy Hash: 61b51cac815c347262edd74a13760c40381f2a5d1ee8d74180bf4239feed860f
Instruction Fuzzy Hash: CEC08C3F00340C6AC310EAA0CC43FA1B7B4FB02600F94C519B34851D30CA31F8269713

Function 056EDF9C Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e171e66e89f46699170becd88f090bc66255401890e13d35e8db12408e0561
Instruction ID: 6cfd5baf4018a549f7c3d7554aeb968b8447ea95788cae4404af890683c90c0a
Opcode Fuzzy Hash: 38e171e66e89f46699170becd88f090bc66255401890e13d35e8db12408e0561
Instruction Fuzzy Hash: C7C04C391171149A8601E7508984D15B6B5BB967007808C59618545125CB22D81CD716

Function 056EDFE4 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d30870b0f345ecfd06767252d51e74445006b265bfecdbfbaa8d9eedbb29c5
Instruction ID: 3f743957aae1595096dff59f0f8f630bba624168e301381881334a712edb2bcb
Opcode Fuzzy Hash: 78d30870b0f345ecfd06767252d51e74445006b265bfecdbfbaa8d9eedbb29c5
Instruction Fuzzy Hash: 9DB0123A257A64F35411A3648D89F6E9061BFF3F00B80CC05724400051CE65842DD21F

Function 056ED2C0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60400a0b01180c1f53fe809174f63fa63edf4b599821829c5b8a925dad9aa82
Instruction ID: b6a774a1aadb2023ecfc3586c7e1e2bb625d59babb2c3588baa3edc1c446a2b1
Opcode Fuzzy Hash: e60400a0b01180c1f53fe809174f63fa63edf4b599821829c5b8a925dad9aa82
Instruction Fuzzy Hash: 2FB012477DF7C50ECE4332744C1A1087F307997500BC941C79840CF1D2D4086504C372

Non-executed Functions

Function 056E1998 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e05360e1260283b26e584adde883dce18137f7412de426544dc2eb5c61b121f
Instruction ID: 2a4c62fb307561941aba2c0e8998e4dd377a1a041eb3891c571109e5b41ff771
Opcode Fuzzy Hash: 9e05360e1260283b26e584adde883dce18137f7412de426544dc2eb5c61b121f
Instruction Fuzzy Hash: 62A22731E002598FDB15DB68C8587EDB7B2FF99300F1582A9D90AA7350EB74AE81CF50

Function 071D68B8 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bd9edc8307a9ed4a2f9c93b67e7ba4dc086f04aab16304a695a0c2a9168240
Instruction ID: 6a8292402bb4364d5553f654d0385f9652956bf5ad9a07a39a8fe50f19815331
Opcode Fuzzy Hash: c4bd9edc8307a9ed4a2f9c93b67e7ba4dc086f04aab16304a695a0c2a9168240
Instruction Fuzzy Hash: 41E11BB4E102198FDB14DFA8C590AAEFBB2FF89305F248169D414AB355D730AD41CF64

Function 050F0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1467913981.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1039d69d6d6c64c545c23c293fe29b20e328c28812cdde22b645a3efba6232e
Instruction ID: edffd71a93bb8aaa0e73caf44dff599e87afc5cf112e86d0033ef264fc6c3d66
Opcode Fuzzy Hash: f1039d69d6d6c64c545c23c293fe29b20e328c28812cdde22b645a3efba6232e
Instruction Fuzzy Hash: 751282B04017458AE730CF69F94D1897BB1BBE6718B904389D2616B2E9DFB9114BCF84

Function 071D83B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2dc5f13b6eac8dbf4aecd0652020dc3e434134bb177e48ff9a20e15d92b3e0
Instruction ID: 014209abfb0de255a615263a89c8cdd39c46a7d6d8e7b98c868bb5abc3fafa33
Opcode Fuzzy Hash: 0c2dc5f13b6eac8dbf4aecd0652020dc3e434134bb177e48ff9a20e15d92b3e0
Instruction Fuzzy Hash: B6E1F8B4E102198FDB14DFA9C580AAEFBB2FF89305F248169D418AB355DB31AD41CF60

Function 071D91A0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa63d9f76bf95dc17e799ec0b21d0dad0179500f9f1e9788088a18bfed057e36
Instruction ID: 4e7aaccb75ccae3b5c28c3b9e4bb1d758c9d083c4b54366986ba60aea786c852
Opcode Fuzzy Hash: aa63d9f76bf95dc17e799ec0b21d0dad0179500f9f1e9788088a18bfed057e36
Instruction Fuzzy Hash: 36E108B4E102198FDB14DFA9C590AAEFBB2FF89305F248169D818AB355D731AD41CF60

Function 071D6D10 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e1d65c87878747165e1216b9e2ac843fa1863d4c30f97558076c86cf1defd7
Instruction ID: cf49b21c30e1d3fea061604075d41a7e976fcbf73a7844c50453e39f40191b98
Opcode Fuzzy Hash: 36e1d65c87878747165e1216b9e2ac843fa1863d4c30f97558076c86cf1defd7
Instruction Fuzzy Hash: 11E109B4E102198FDB14DFA9C990AAEFBB2FF89305F248169D414AB355D731AD41CF60

Function 071D8C90 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960c7e6c506b4b9a589a5e4f4ecb41e6df2bbc7f7254d4ff26b5f167f0d5402b
Instruction ID: 3bc749290bf384724b55a04aa4ce9d028fe5d9b4bdda3dc55838c0e12086243f
Opcode Fuzzy Hash: 960c7e6c506b4b9a589a5e4f4ecb41e6df2bbc7f7254d4ff26b5f167f0d5402b
Instruction Fuzzy Hash: 1DE1F9B4E102198FDB14DFA9C590AAEFBB2FF89305F248269D414AB355D731AD41CF60

Function 056E950B Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2711bb78c5669d506c7c0d5991f0e5691eb6d518281fa580296524fff13b3da3
Instruction ID: 04e6992223acf5639c7e3d95191e1ac7c0cf065ead8764dc0ff8d356fa6ade05
Opcode Fuzzy Hash: 2711bb78c5669d506c7c0d5991f0e5691eb6d518281fa580296524fff13b3da3
Instruction Fuzzy Hash: B7D1063592075A8ACB11EFA4D990AD9F7B1FF96300F50CB9AE41937610EF706AC4CB91

Function 011FD364 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459715695.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11f0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25283e3f8a734a016ad1a1dc5aa298c769153edd9316cdd176edecef5d0229d7
Instruction ID: 0617dda552d02d9409ea539d85c01a78b073dc39fefd01e7f3d6fd987c311eee
Opcode Fuzzy Hash: 25283e3f8a734a016ad1a1dc5aa298c769153edd9316cdd176edecef5d0229d7
Instruction Fuzzy Hash: 20A19236E0020ACFCF19DFB4C84459EBBB2FF85304B15856EEA05AB265DB75D906CB40

Function 056E9518 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4db0716fdbe93c600c020090059397ea4391fe2ed272c712b74a78ab61518f
Instruction ID: 177a803b3869dbc3416f5add45f44f34a204eb2c61d48bc69bbaffa683dcb83e
Opcode Fuzzy Hash: cb4db0716fdbe93c600c020090059397ea4391fe2ed272c712b74a78ab61518f
Instruction Fuzzy Hash: 34D1063592075ACACB11EFA4D990AD9B7B1FF96300F50CB9AE41937610EF706AC4CB91

Function 050F001F Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1467913981.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850bdf297e78aebd6041b5a73c25b45211f2c0c1dc3c72bfbeb6dfd6a546945c
Instruction ID: ec8338d1b586a2a7ddda3040381ffdd1a1e3b12e42a8791985d6957078370e20
Opcode Fuzzy Hash: 850bdf297e78aebd6041b5a73c25b45211f2c0c1dc3c72bfbeb6dfd6a546945c
Instruction Fuzzy Hash: 67C1D7B08117458BD720CF69F84C28A7BB1BBE6724FA04399D1616B2E9DFB8154BCF44

Function 056EF12B Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daff7392f045c5406815d0a765b2c3c192677d1ac709c1616bd6d58be7530107
Instruction ID: fad7f3392effc1ab5a2379a831217b83b058f462aeb683bb17377e916e0ad147
Opcode Fuzzy Hash: daff7392f045c5406815d0a765b2c3c192677d1ac709c1616bd6d58be7530107
Instruction Fuzzy Hash: 1F81C174D0621CDFEB14CFAAD8846EDFBB6BF89300F10906AE419A7251DB74594ACF40

Function 056EF138 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1477512999.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2b6809ffee07cc23c6d8a49c27ebd855cb7814dbd1619e0ad8dba79ca1abd0
Instruction ID: e8f3b26758ccf2449753c4ea326c361bb55ece45a88181f049c9403ba1dd026a
Opcode Fuzzy Hash: 0d2b6809ffee07cc23c6d8a49c27ebd855cb7814dbd1619e0ad8dba79ca1abd0
Instruction Fuzzy Hash: 1681A274D0A21DDFEB14CFAAD8846EDFBB6BF89300F10906AE419A7251DB74594ACF40

Function 071D8C80 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482525895.00000000071D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71d0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbed7bc95ea50a5a93bd96ffafb71d1210ae30a2e164627a07e07dc802d83b26
Instruction ID: ce7d1f3c1c6a7952adc0401e886fa764830f9e27259ea61fe855884b42cbb02d
Opcode Fuzzy Hash: bbed7bc95ea50a5a93bd96ffafb71d1210ae30a2e164627a07e07dc802d83b26
Instruction Fuzzy Hash: 9C512AB4E102198FDB18CFA9C9815AEFBF2BF89305F24816AD418AB355D7309D41CFA0

Analysis Process: Telco 32pcs New Purchase Order.exePID: 4508, Parent PID: 4136COMMON

Executed Functions

Function 011CA968 Relevance: 2.8, Instructions: 2802COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a8f90672ce58a9cbbee1e6fad12f9039e4383e9fdfb5fc605d97c70b9e20722
Instruction ID: a2056798b13802a69e7fd7f144fb1cbf6b97b934ec6632bb02e42d3ac8499403
Opcode Fuzzy Hash: 6a8f90672ce58a9cbbee1e6fad12f9039e4383e9fdfb5fc605d97c70b9e20722
Instruction Fuzzy Hash: 2C53F831D10B1A8ACB55EF68C8806A9F7B1FF99300F51D79AE45877121FB70AAD4CB81

Function 011C4A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d9401b558f054478e79fb374392962654e95fc35ff5cb3619a5a3c1688dc79
Instruction ID: f567a4d7e61b22152248c9634c04541cb6976ade3da2dd07ccd76a7bada75e52
Opcode Fuzzy Hash: a1d9401b558f054478e79fb374392962654e95fc35ff5cb3619a5a3c1688dc79
Instruction Fuzzy Hash: C9B18F70E042098FDF18CFA9D8A17EDBBF2AF98B14F14852DD814E7654EB749841CB85

Function 011C3E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fdfd5fabf879818867d9f61779b4291e04af3f4e7d86f6b4f6d7f6484ede35
Instruction ID: 78625944b9b0b0045d8f7b2f1fda0d97e77df8b70f3cf90af352f240cfbc7f85
Opcode Fuzzy Hash: d0fdfd5fabf879818867d9f61779b4291e04af3f4e7d86f6b4f6d7f6484ede35
Instruction Fuzzy Hash: 65918C70E002098FDF18CFA9C8957DEBBF2BF98B14F14852DE454A7254EB749845CB82

Function 011C8720 Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f8b07e363442963097b5b2dd6f067661258938274018ededc17512037d8ca3
Instruction ID: 27d99cf7387b595da5809c777c745167ab77f3564ab0b917bfe39a4e203eafbe
Opcode Fuzzy Hash: b9f8b07e363442963097b5b2dd6f067661258938274018ededc17512037d8ca3
Instruction Fuzzy Hash: EE129334700206EBDB2AAB2CEA9866D73A2FBC5755B105D29D505CF345CF35EC4ACB81

Function 011CA182 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99efde3ed916f66806ea204eaa834dc105e2d95f853d423d77d191138a28cb47
Instruction ID: f4863e0ff81dfdf35af559dac63e3cb21e7bb5343ceb2e59ea1884b0ada9528d
Opcode Fuzzy Hash: 99efde3ed916f66806ea204eaa834dc105e2d95f853d423d77d191138a28cb47
Instruction Fuzzy Hash: 2EE1C534B002088FDF1ADB68E594AADBBB2FF98714F148469E906DB351EB34EC41CB51

Function 011C4A8E Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d12d4ca788967dfb93e41c5341a3a675cbae1cde81b700007ba59662cce190
Instruction ID: 93519088ac3d5c9846b81c48c599861d11b9a4ee8a2638542113dbba0dec4146
Opcode Fuzzy Hash: 22d12d4ca788967dfb93e41c5341a3a675cbae1cde81b700007ba59662cce190
Instruction Fuzzy Hash: B0A18D70E04209CFEB18CFA9D8A17EDBBF1AF68B14F14812DD814E7654EB749841CB95

Function 011C3E74 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127a97d0621ba3adafac3f808483ba03b967512f09aa5d9b268bbc488bf33586
Instruction ID: 2de26f25f7107a665eab64846ab03ed813defe3dd4ec565fa0a134876c0285fb
Opcode Fuzzy Hash: 127a97d0621ba3adafac3f808483ba03b967512f09aa5d9b268bbc488bf33586
Instruction Fuzzy Hash: 48A17870E00209CFDF18CFA9D8957DEBBF2BFA8B14F148529E454A7254EB349845CB92

Function 011C4810 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d33ac31dfd1cace06c1bc27d25b4817817e0ececaf70586b2fa170ac426c853
Instruction ID: 38757bb80462d6bdfcf0ff3763db7ecc18b87408565e318b0688e24975149aba
Opcode Fuzzy Hash: 9d33ac31dfd1cace06c1bc27d25b4817817e0ececaf70586b2fa170ac426c853
Instruction Fuzzy Hash: 0D7187B0E042498FDB18CFA9C8907EEBBF2AF98B14F14812DE415A7654EB749841CB95

Function 011C4806 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fdf0bbacffdefc75af937c72abffb72b57fbaae37d887cd1da49e78fd6572c
Instruction ID: b37a48c40f4c281bfb2c24148b11975c1b50ad56f9e19b8ff689c3040afdda60
Opcode Fuzzy Hash: 67fdf0bbacffdefc75af937c72abffb72b57fbaae37d887cd1da49e78fd6572c
Instruction Fuzzy Hash: 1E7177B0E042498FDB18CFADC8947DEBBF2AF98B14F14812DE415A7650EB749841CB95

Function 011C6ECF Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e2bb63b4c01873f86210aedc77ebbcec83bf233a82f66407b3d7694285196d
Instruction ID: fde5a5c53ac086fabe1d3a9092773bcd8d59acc2f8a5d9fcdbf6ab10261df285
Opcode Fuzzy Hash: d8e2bb63b4c01873f86210aedc77ebbcec83bf233a82f66407b3d7694285196d
Instruction Fuzzy Hash: EC517E347002158FDB18DB68C558AAE7BB6FF99B04F2044ADE406EB7A1DB759C40CBA1

Function 011CA6C8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51a852638b8871eb2ae948add1c934ed4865b0688a90cb1e4747dee270ae9f3
Instruction ID: a15e4eebbaa11d2060846b483c608c719bd83fafbd8ea06f0e785d17ab62c837
Opcode Fuzzy Hash: a51a852638b8871eb2ae948add1c934ed4865b0688a90cb1e4747dee270ae9f3
Instruction Fuzzy Hash: 8C514A75A00208DFDB04DFA9E884B99FBB1FF88310F14C1A9E9099B355E771D945CB90

Function 011C6CD4 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30c0ef37dbd9cdcd299e89ec578ba5a51586a8dbb3b9f79668f1b90cbacf714
Instruction ID: 8f048ea75d0c2b098723814efd70e83eb105e8980c6450cecb817a1ec1aeac32
Opcode Fuzzy Hash: b30c0ef37dbd9cdcd299e89ec578ba5a51586a8dbb3b9f79668f1b90cbacf714
Instruction Fuzzy Hash: 66510470D102288FDB18CFA9C885BEDBBB1BF58B14F14851EE815AB351D774A844CF95

Function 011C0CCB Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b389da41a5e065dc84cd55c889aa7c35d70eaab672d3b132b6ec744f1183fa
Instruction ID: 3869d3ffbb4ba2d35b03cd058a2c837cb6a7bbcb1f9917c448c676089be3ea35
Opcode Fuzzy Hash: c4b389da41a5e065dc84cd55c889aa7c35d70eaab672d3b132b6ec744f1183fa
Instruction Fuzzy Hash: 4E511370D002688FDB18CFAAD894BAEBBB1BF58B10F15811EE815AB351D774A844CF95

Function 011C6CE0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ac69e4d5fec85c99fad89a5b4e89c09f83ad9ef87dd78c4d337a7268f17e44
Instruction ID: c5c11dd5d8c7e6636b71d7ff1b9d795497038e21d78a5c79448de2dcc0cf7c7e
Opcode Fuzzy Hash: 34ac69e4d5fec85c99fad89a5b4e89c09f83ad9ef87dd78c4d337a7268f17e44
Instruction Fuzzy Hash: F4510570D002288FDB18CFA9D895BAEBBB1FF58B14F14811EE815AB351D774A844CF95

Function 011C1128 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73982fa928a6a17fd0c97fcc20d22c89bba29f7169e0c418348e688bfe46f949
Instruction ID: 339840994702bdfbc8119756f68a19757ef8466ab05e52fa87787b90b45395a3
Opcode Fuzzy Hash: 73982fa928a6a17fd0c97fcc20d22c89bba29f7169e0c418348e688bfe46f949
Instruction Fuzzy Hash: 71512230616249AFDB06FF28FB84D553BB6B79A708304495BD0488FA3ED7356A05CB91

Function 011C1138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d87d1876a554eba9c8ae5c3e4cfdeb534dfa53ff952e09cd9262561ee38fcea
Instruction ID: 145f5977cb12e8d9385947d0c6ec415a11f6cd308882f409bb7510c899395111
Opcode Fuzzy Hash: 5d87d1876a554eba9c8ae5c3e4cfdeb534dfa53ff952e09cd9262561ee38fcea
Instruction Fuzzy Hash: 58511330616249AFDB06FF28FB84D553BB6B79A308304495BD0488FA3DD7756A05CB91

Function 011CDE6A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d756ce62f4eb4cac1dc0675158c988b77b568924c2e13df61abc5557390314
Instruction ID: 96ce099be49995cc3ce5fe43e616be0e0cdaed388ef0296336224b39de90e172
Opcode Fuzzy Hash: 72d756ce62f4eb4cac1dc0675158c988b77b568924c2e13df61abc5557390314
Instruction Fuzzy Hash: B2316E75B00615EFD709DB68D890E3AB77AFBC4B00F54C168E4029B299CB35EC42DBA0

Function 011C7D90 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c7e90cf196c04f930a1c771afa9bf539bb380e42938e50ff3ec5d16ef39cce
Instruction ID: a98375831cc27238106de9296d4a3e63787c790c309ebaa972075bde52872b3d
Opcode Fuzzy Hash: f0c7e90cf196c04f930a1c771afa9bf539bb380e42938e50ff3ec5d16ef39cce
Instruction Fuzzy Hash: 05316F32E10219DFDB19DBA9D5507AEB7B2FF95710F208529E405EB280EBB0AD41CF51

Function 011C26DC Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7e2519b9c90cc645ba61caf94a76ecb8ef19a80ca24c7694a0d7fe24df040c
Instruction ID: b6f19bc15435a6e394862c3f17b4b91a72955c203efd6aadb31ae51988b1fd86
Opcode Fuzzy Hash: ba7e2519b9c90cc645ba61caf94a76ecb8ef19a80ca24c7694a0d7fe24df040c
Instruction Fuzzy Hash: AB41EFB4D003489FEB14CFA9C884ADEBBF5EF58710F248429E809AB250DB75A945CF90

Function 011C7D80 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893cc331ff9d973a828c2df21123f1ad4b9ac3ff23f11318ac19e0daac68df77
Instruction ID: c62594d5193ab95b7125d205bf1fd4ab041f931ed3112d52b00bbcb8535d5eaa
Opcode Fuzzy Hash: 893cc331ff9d973a828c2df21123f1ad4b9ac3ff23f11318ac19e0daac68df77
Instruction Fuzzy Hash: 35316031E102599FDB1ADFA9C4507AEBBB2FF95700F204519E401EB281DBB09841CF51

Function 011C5097 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a7d4a462ad743e05d2111bb0de8262128c8084b6d3434351f88e24fe45460d
Instruction ID: f141b7fb7600394ba67c5329ec96507d77af60b1549bf313d9391bde16074c67
Opcode Fuzzy Hash: b9a7d4a462ad743e05d2111bb0de8262128c8084b6d3434351f88e24fe45460d
Instruction Fuzzy Hash: 37317C30B00215EFDB5DEB78CA546AE77F2AF99A44F10056CD801AB395DB3AED01CB91

Function 011C169F Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5caafdc3c0456266fb1bd136ec87a9a2121d0976a1bd794354770fc65ce8d902
Instruction ID: a06f1d1e1bd6f917406e1d6f2ac23dc705b27a12ef30ec3daa84fd971317ad3b
Opcode Fuzzy Hash: 5caafdc3c0456266fb1bd136ec87a9a2121d0976a1bd794354770fc65ce8d902
Instruction Fuzzy Hash: 2C310C39640210EBEF2AEB7CE95871937B9F758B08F440D1AD009CB75BDB68CC418792

Function 011C26E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea5ba0c906be293b593884746e3d9e7fbf898a5858bb23dbc2b5a1cf3baf9cb
Instruction ID: 042a487e4745a952b1bae141c3e5de31f7b0c4749845a20a1c07a3281e77ddb5
Opcode Fuzzy Hash: 0ea5ba0c906be293b593884746e3d9e7fbf898a5858bb23dbc2b5a1cf3baf9cb
Instruction Fuzzy Hash: B641EEB4D00348DFDB14CFAAC884ADEBBF5EF58710F248429E809AB250DB75A945CB90

Function 011C50A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7aff57a529ebd176f70f99bf26518f2fb1ff23cdd772c277712d90593ed516
Instruction ID: 846bb499584b425dcb16b17f3232f40f3611d15e155f50444855d0482a3708df
Opcode Fuzzy Hash: cf7aff57a529ebd176f70f99bf26518f2fb1ff23cdd772c277712d90593ed516
Instruction Fuzzy Hash: FD315C30B00214DFDB5DEB78CA646AE77B3AF98A44F10056CD402AB395DB3AED01CB91

Function 011CA068 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b6c7142e3bb34f1b0170ba7430ceeaaaa57ebcbbcac083d226bf4daa272a49
Instruction ID: 1b8e38429867b8d4c025f92dd3a37399a178f586c52e753d82f2b0a0aa2d42e6
Opcode Fuzzy Hash: 53b6c7142e3bb34f1b0170ba7430ceeaaaa57ebcbbcac083d226bf4daa272a49
Instruction Fuzzy Hash: 21319534E102499BDB1ACF68D95079EFBB2FF89740F50861AE905EB241EB71A845CB50

Function 0106D006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2687067270.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_106d000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1370cae38ee0687c016633135249e7cb83441f51523ef5879695c790d6ee8323
Instruction ID: 4aea1e23ab27a0608e6a7b1fc63e17f99a15cfd7f811fa290bb327ad5cc24865
Opcode Fuzzy Hash: 1370cae38ee0687c016633135249e7cb83441f51523ef5879695c790d6ee8323
Instruction Fuzzy Hash: 943159715093C49FDB13CB64C894711BFB5AF46214F29C5DBD9898F2A3C23A984ACB62

Function 011CA078 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bf78d103d8e00680395e9608420e1895d5ff78ec916ed45d566a69558cf3a7
Instruction ID: bfe44e38906dfc0ba25112d0943c97e844bd3ea61dd35052be4d7e4b1938a8b4
Opcode Fuzzy Hash: 49bf78d103d8e00680395e9608420e1895d5ff78ec916ed45d566a69558cf3a7
Instruction Fuzzy Hash: D1219634E102099BDB1ADF68D95069EFBB2FF89740F10C619E905EB341EB719C41CB50

Function 011C9F68 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64478a4097d99873e66606b2cae81fd0da1645e53233ee362da3145648db2e80
Instruction ID: 6fbc0b9e1898d7250e7e51532869a53becc4caec1070bed09d44da87a39f71f6
Opcode Fuzzy Hash: 64478a4097d99873e66606b2cae81fd0da1645e53233ee362da3145648db2e80
Instruction Fuzzy Hash: 3121A431E1020D9BDB19CF68D4906DEBBB2FF99710F50861AE812F7381EB70A845CB52

Function 011CA860 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c72c02f9031fd000f765152f1232db19fcbf794169bd31fdf82d14b3233f7d
Instruction ID: 3323a783146b8eb6c86dabf6798e30757cec4a0fb16a580d91f6d69b1f26fc88
Opcode Fuzzy Hash: b2c72c02f9031fd000f765152f1232db19fcbf794169bd31fdf82d14b3233f7d
Instruction Fuzzy Hash: E921C534B001088FEB19DBA9D855BEE7BF5BF88B24F11812DE505EB3A4EB719D008791

Function 011C1878 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c14d46d9810fd7ebe3c02df67ff78a38fd3acd0d8413ea040973b8b2f9fa80
Instruction ID: 7eac97a101fa8a6ebc789bff48479498ccb274ca8dab98caa4f1a455ac430228
Opcode Fuzzy Hash: 64c14d46d9810fd7ebe3c02df67ff78a38fd3acd0d8413ea040973b8b2f9fa80
Instruction Fuzzy Hash: BD217C30B44205EFDB28EB78C5257AE7BF2AF59A44F20046CD401EB256EB36DD40CBA1

Function 0106D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2687067270.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_106d000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22abf4292a7dcca32881a89456459560c03862c8f877f29639601cd1878c8aec
Instruction ID: d04e9375dfaa20a6725a18baea3398ff34fd18eddedc2bca36bfa6e4b3f8a021
Opcode Fuzzy Hash: 22abf4292a7dcca32881a89456459560c03862c8f877f29639601cd1878c8aec
Instruction Fuzzy Hash: 5821D0B1604344EFEB15DF94D980B26BBA9FB84214F24C5A9E9C94B252C33AD446CB62

Function 011C1382 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d273f9d68f00b432fa2f41153e1217f3a088dacaf73b5ba48fa0c2eda38c1c3f
Instruction ID: f0672f80017971e477f33a041f44241b05297f1d4117f4c98009953706d9fb17
Opcode Fuzzy Hash: d273f9d68f00b432fa2f41153e1217f3a088dacaf73b5ba48fa0c2eda38c1c3f
Instruction Fuzzy Hash: FA212434644200EBEB3B6B6CE88876D7761F716B28F10082EE446C7687DB29C885C782

Function 011CA852 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5565bbe8c2fb44ae57784c41c496be4609ce6a8015a6efe856923887e4c66f1
Instruction ID: c1efdd803f97be6cd29d3107adfeee096f9e564a75ead5f7efa812689877c32d
Opcode Fuzzy Hash: c5565bbe8c2fb44ae57784c41c496be4609ce6a8015a6efe856923887e4c66f1
Instruction Fuzzy Hash: E121CF71B101098FEB19CBA8D855BAE7BF5BF98B10F118029E501EB3A0EB719C008B90

Function 011C4F8A Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c0e1340470d6e830e5e5dfa2d3a24c46b16b7ff672019cdfcf892725e3aced
Instruction ID: f53b01550301996930f5fec4753c89d3d0fd3c93d4e03eaef826cbe832e78867
Opcode Fuzzy Hash: 63c0e1340470d6e830e5e5dfa2d3a24c46b16b7ff672019cdfcf892725e3aced
Instruction Fuzzy Hash: 29212834B00208CFDB59EB78C559A9D77F2FB89B14F100568E406EB365DB36AD01CB91

Function 011C1888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa7002510890ef08d2dcf4ac0381a2dfab0022a49ce4b89d01e1f16f464e45d
Instruction ID: d511ad247947eb60804578301a4dea19f34c682aa851dfb67d7ce446d8a182f9
Opcode Fuzzy Hash: 3aa7002510890ef08d2dcf4ac0381a2dfab0022a49ce4b89d01e1f16f464e45d
Instruction Fuzzy Hash: 96213030B44209EFDB18EB78C5257AE7BF2AB59A44F20046CD506EB355EB35DD40CBA1

Function 011C9F78 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5e7e4a38d1dccbfe6f7fff565cf771b1627b27ed7841e75d6acb4fe7c9ab5f
Instruction ID: 5a63f287f00100a2c73741aae65aab2cbe8262e3b3284b2e8fe131197f2c2c5b
Opcode Fuzzy Hash: 6c5e7e4a38d1dccbfe6f7fff565cf771b1627b27ed7841e75d6acb4fe7c9ab5f
Instruction Fuzzy Hash: F8215331E0020D9BCB19CF68D45069EFBB2BF99710F50861AE916F7341EB70A845CB51

Function 011C16B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e025fcd33506573c71a04adef107cf384e269dfde7eb60a78636c30b003d5f
Instruction ID: 6f9b50310ff1ada160a9f1a6faf30f352983ae7752a253334a446d8c938428f4
Opcode Fuzzy Hash: 87e025fcd33506573c71a04adef107cf384e269dfde7eb60a78636c30b003d5f
Instruction Fuzzy Hash: 792139386506009BDF26EB7CEE54B1937A9F749B08F504926D009C7A5BDB78DC418B91

Function 011C4F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c2b680bd0ef925a5c29cf134812d63c5fd73fbc495475f5cb260e09460f6af
Instruction ID: dbbb17f18ec48dfd069a35d4652468ffa843f703db18e355a76a88a34cbf8aa9
Opcode Fuzzy Hash: 36c2b680bd0ef925a5c29cf134812d63c5fd73fbc495475f5cb260e09460f6af
Instruction Fuzzy Hash: 5E211934B00209CFDB58EB78C559AAE77F2FB89714F100568E406EB365DB369D00CB91

Function 011C0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08923c0368c9abde0e16e72a4b68d845578cbaeabd1f7e32485f2ac4f41a32a9
Instruction ID: ed2127170a94c9e9d09d75d766c04146f4a6a1d6b3d21848ecb2d5ecd27d7250
Opcode Fuzzy Hash: 08923c0368c9abde0e16e72a4b68d845578cbaeabd1f7e32485f2ac4f41a32a9
Instruction Fuzzy Hash: FC118638F00308CBEF69967CC95476A3355FB5DA14F10C86DE006CB252DB25CC818BC1

Function 011C0838 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf19dcd1a88a462d2f9df89c607200310f6f7fdeefc587e021e83e54c0a58d3
Instruction ID: 1c5a9665c1585acec2504acc3a91f04a6d153d5ef1809466ee84af9099422a62
Opcode Fuzzy Hash: 9bf19dcd1a88a462d2f9df89c607200310f6f7fdeefc587e021e83e54c0a58d3
Instruction Fuzzy Hash: F6119438E00304CBEF695668D94077B3354F7A9A14F10C92EF406CB252EB25CC818BC1

Function 011C1488 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13ed85dcd0677b8388ea962fa92e612be262343c038d4cdde6bece8097392a0
Instruction ID: 2455572007f2734ea3ac6fe0a12f72f4a5708df2e984214f6dc1bec90c2a7e25
Opcode Fuzzy Hash: d13ed85dcd0677b8388ea962fa92e612be262343c038d4cdde6bece8097392a0
Instruction Fuzzy Hash: AA11B235E00252EFDB1AAFB885901ADBBB1EF69614F1504AEE805E7342E775C841CB91

Function 011C17C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f28d081d887f6f60e579fd7f4f0d453918fb19b6ed5f0eac52b3a9b5f2c5f63
Instruction ID: 6c2091f5eb6d00b6379d6d5c05bf49213b994e5a76462c62e8ad941d93806502
Opcode Fuzzy Hash: 4f28d081d887f6f60e579fd7f4f0d453918fb19b6ed5f0eac52b3a9b5f2c5f63
Instruction Fuzzy Hash: 9111027AF00315AFCB18ABF8E90866E3FF5FB48A10F100829E905E3305EB34C9028790

Function 011C1498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d39fd7c1e134b63be9543c73e8c2f5541c5f3961f0a90e30e6575e1775abbfb
Instruction ID: 79505a612667eff632a9527281fb1e6fcb86463bd2a6237d3f09ea873750cb82
Opcode Fuzzy Hash: 7d39fd7c1e134b63be9543c73e8c2f5541c5f3961f0a90e30e6575e1775abbfb
Instruction Fuzzy Hash: 13014035A00216EBCB29EFB884641AEBBF5EB69A14F25047DD805E7302E735C881CBD5

Function 011C6B98 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fa0660e6a9b02ec15127c869cd306096a110f7ae61934ea7a0edcdb467ca18
Instruction ID: 0997184d2df77792836e7b70e8f95b0a4c509d96e9e00e81ed21545f38cb6d75
Opcode Fuzzy Hash: e1fa0660e6a9b02ec15127c869cd306096a110f7ae61934ea7a0edcdb467ca18
Instruction Fuzzy Hash: AA01D2317142049FC719ABBCD81179E7BA2EFCA700F1448AED146DB390DB359841D796

Function 011CA6C5 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800b146baf7d5d77d099227de3fbe30dfdf72d0c4164c4d8e4fb9eff7e5b21ce
Instruction ID: 1b18022acf4813f119a8e64a6753da87f0e92055b74911e9d9899866c0ce49d5
Opcode Fuzzy Hash: 800b146baf7d5d77d099227de3fbe30dfdf72d0c4164c4d8e4fb9eff7e5b21ce
Instruction Fuzzy Hash: D301B531A002048FDB18DF98D984B8ABBB5FFD4310F54C668C84C5F295E774E905CBA1

Function 011C40FF Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5ffbdeb6ec8b0f3b70bfe0eab1c231c966833ba2f7f60043106ec15bc4406d
Instruction ID: 1b91be8b1925f2c9f7f022ea246ad90b5d608c362d83591eacb7198b8c7bf3c2
Opcode Fuzzy Hash: ef5ffbdeb6ec8b0f3b70bfe0eab1c231c966833ba2f7f60043106ec15bc4406d
Instruction Fuzzy Hash: F8110930E08249DEDF2CDA9CD9A87ECBB71AFB4B19F14152ED051A2990DB3069C5CB15

Function 011C8F08 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f11d49dfbe0849209cfd6c48fd270bb7a37c9c105565d04164c865b35cfddf
Instruction ID: e628c0ea13fc289d06c3c3546c912d0e0d4d3d58c870e8e792231705b1b95c7a
Opcode Fuzzy Hash: d9f11d49dfbe0849209cfd6c48fd270bb7a37c9c105565d04164c865b35cfddf
Instruction Fuzzy Hash: 4A018F30D00208AFDF55EFA8EE90A8D7BB5FF84304F504A69C4089B209DB345E049B51

Function 011C1524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb06209e67cc7c3bc8a6ca534aa5ae745d9754c0783d92d7643cc1e97826116
Instruction ID: d9de86e0b0759e01bf6242aff754d90cdf6dae07a5c629bb22b79bf6b4443a67
Opcode Fuzzy Hash: 8fb06209e67cc7c3bc8a6ca534aa5ae745d9754c0783d92d7643cc1e97826116
Instruction Fuzzy Hash: BAF05077A44110EFD72A8BE894501ACBFB0FE7991171D00DFD846DB202D335D442C752

Function 011C7EA8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221fa0544349ca7234771a9511cfc25bb45c2a29217a1aab5335a3b908ef45a7
Instruction ID: b4ba0b73d753b4057d46ec6ba82472b141b4e2c69df0d13461b6072470fae8f2
Opcode Fuzzy Hash: 221fa0544349ca7234771a9511cfc25bb45c2a29217a1aab5335a3b908ef45a7
Instruction Fuzzy Hash: 45F0E739B00518CFD714EB78E698B6D77B2EF89B15F1144A8E5069B3A4DB31AD02CF50

Function 011C8F18 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2688827368.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11c0000_Telco 32pcs New Purchase Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0be7cd0e4fa96c14f595831e5758e2da00bc71d8ed0c76e6d72e393c1bd8b0ee
Instruction ID: 0bc0eb565a9af4b5f6761a23228b8f9e84f80a497b0479fcf67beadf6b8a9556
Opcode Fuzzy Hash: 0be7cd0e4fa96c14f595831e5758e2da00bc71d8ed0c76e6d72e393c1bd8b0ee
Instruction Fuzzy Hash: EDF0813490020CAFCB05FFA8FE60A8D7BB5FF84704F405A69C4089B244DF346E049B91

Analysis Process: zBzzGAdzqF.exePID: 2768, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	226
Total number of Limit Nodes:	18

Executed Functions

Function 0148D428 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0148D4B6
GetCurrentThread.KERNEL32 ref: 0148D4F3
GetCurrentProcess.KERNEL32 ref: 0148D530
GetCurrentThreadId.KERNEL32 ref: 0148D589

Memory Dump Source

Source File: 0000000B.00000002.1509703303.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1480000_zBzzGAdzqF.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0376f0bbbe5dc89d5a681d43ce99703737066577cfa66dd3e39f3bca5bd06215
Instruction ID: 682612733d163ba38c655f9bff25f81c2f999178a8448cfdfad7d0b674ef74d5
Opcode Fuzzy Hash: 0376f0bbbe5dc89d5a681d43ce99703737066577cfa66dd3e39f3bca5bd06215
Instruction Fuzzy Hash: B35146B0D013098FEB14DFA9D548BDEBBF1AF88314F20845AE419A73A0D7746944CB65

Function 0148D438 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0148D4B6
GetCurrentThread.KERNEL32 ref: 0148D4F3
GetCurrentProcess.KERNEL32 ref: 0148D530
GetCurrentThreadId.KERNEL32 ref: 0148D589

Memory Dump Source

Source File: 0000000B.00000002.1509703303.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1480000_zBzzGAdzqF.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1e00f49ae6cf38cd4229a3397b38bae532f9c0cee62ade384b4d58b19b4000c1
Instruction ID: bb042a982e333c3eb55da5f0e5ff9f307bfbaa8b87a04fd2bcf972d232c65342
Opcode Fuzzy Hash: 1e00f49ae6cf38cd4229a3397b38bae532f9c0cee62ade384b4d58b19b4000c1
Instruction Fuzzy Hash: AE5115B0D017098FEB14DFAAD548BDEBBF1AB88314F20845AE419A73A0D7746944CF65

Function 073E9915 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073E9B56

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 025f8ad8ed8e55acf9458d1a7bcf591ebc5b880f1d1031323bc95591a2414afb
Instruction ID: b3383168a3ee2dd84733fc9216bdd49b87903ce7298a212934777883fb7da9f5
Opcode Fuzzy Hash: 025f8ad8ed8e55acf9458d1a7bcf591ebc5b880f1d1031323bc95591a2414afb
Instruction Fuzzy Hash: D8A150B1D0062ACFEB14DF69C841BDEBBF6BF44310F148169D849A7290DB749985CF92

Function 073E9920 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073E9B56

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b446e38ebc458d184398d6b5e9f7e800cfed4bc59f56eba4f24c79978c4de51d
Instruction ID: 2a7558c84be5b4d31953327ef1a802aad949c87cd26803cee006e35aefbae0db
Opcode Fuzzy Hash: b446e38ebc458d184398d6b5e9f7e800cfed4bc59f56eba4f24c79978c4de51d
Instruction Fuzzy Hash: D7914FB1D0022ACFEB14DFA9C841BDEBBB6BF44310F148169D849A7290DB759985CF92

Function 0148ADA8 Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0148AFFE

Memory Dump Source

Source File: 0000000B.00000002.1509703303.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1480000_zBzzGAdzqF.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 219222547ccf39e495ccc87a779fabfa117aebbe925e07cb5c51070815841d62
Instruction ID: 870a01d6c202c374aa74af67c1ea19cf73b8e5d672b6f948de2f22e817ef2a5e
Opcode Fuzzy Hash: 219222547ccf39e495ccc87a779fabfa117aebbe925e07cb5c51070815841d62
Instruction Fuzzy Hash: 49814870A00B058FD724EF2AD45576ABBF1FF88214F10892ED586D7B60D7B5E846CB90

Function 0148590D Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014859C9

Memory Dump Source

Source File: 0000000B.00000002.1509703303.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1480000_zBzzGAdzqF.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4840e78a807b0fd1134878fa7c150515f3ade77592718ab4d58437e44b395216
Instruction ID: 2519d4a31426a97f95b52214c6b32d4a59611ea064218ba27cfc1602219b6dfb
Opcode Fuzzy Hash: 4840e78a807b0fd1134878fa7c150515f3ade77592718ab4d58437e44b395216
Instruction Fuzzy Hash: 1841C1B0C00719CBEB24DFA9D884BCEBBB5BF49704F20846AD409AB251DB75594ACF90

Function 014844E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014859C9

Memory Dump Source

Source File: 0000000B.00000002.1509703303.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1480000_zBzzGAdzqF.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 62b27edb849291e9adee71da1302014047889b8d86618032fe352b7015491cbe
Instruction ID: 46191fa677b83e63ec43e2531c71265a072c1db8b308c1b7ae7dbf41bb56d7f8
Opcode Fuzzy Hash: 62b27edb849291e9adee71da1302014047889b8d86618032fe352b7015491cbe
Instruction Fuzzy Hash: 9341B270C00719CBEB24DFA9D884BDEBBB5BF49704F24806AD409AB251DB75594ACF90

Function 073E9691 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073E9728

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cc6270b87efdf780fa4b9f1d79735e80a3224297025c8619700b9da75c2d6e10
Instruction ID: 451f4f9e7ebc7313a80f0024b4d5785c2587f94823bd784cacfe33947497bc44
Opcode Fuzzy Hash: cc6270b87efdf780fa4b9f1d79735e80a3224297025c8619700b9da75c2d6e10
Instruction Fuzzy Hash: CE215AB59003599FDB10CFAAC885BDEBBF5FF48310F14842AE918A7240C778A944CFA1

Function 073E9698 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073E9728

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 143f1731b432acc93dac68074c6d84642b128ca11965f18b17a1cfc71228e057
Instruction ID: 35cbc966976150efc33e7934e652c15f755a847a9fa45a69232de6def267d8ef
Opcode Fuzzy Hash: 143f1731b432acc93dac68074c6d84642b128ca11965f18b17a1cfc71228e057
Instruction Fuzzy Hash: F32139B59003599FDB10CFAAC885BDEBBF5FF48310F10842AE918A7240D778A944CFA5

Function 073E9781 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073E9808

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 818044864544431f682c845ce96ecd3e49188c033d43eb9a2a917a3cf10c08a2
Instruction ID: 37d371f905b7cfd6b5a8295da98eef75a04bfa552c7542fa325315a9a620e861
Opcode Fuzzy Hash: 818044864544431f682c845ce96ecd3e49188c033d43eb9a2a917a3cf10c08a2
Instruction Fuzzy Hash: BE2139B1C003599FDB10CFAAC845BDEBBF5FF48310F10842AE918A3250C738A540CBA1

Function 073E90C3 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073E9146

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d4990d3ffb71e62504f49fa85bc3284a73482375fc16106dff21b05f9d96f9da
Instruction ID: 065cb94e9e6cc1d037f6b4ad351afbb5c9869d8e8dda6f722cab3e645227b08c
Opcode Fuzzy Hash: d4990d3ffb71e62504f49fa85bc3284a73482375fc16106dff21b05f9d96f9da
Instruction Fuzzy Hash: EA213AB1D003198FDB10DFAAC4847EEBBF5EF48310F14842AD859A7240C7789945CFA1

Function 073E9788 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073E9808

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6da38d3ffcaf0c250dada757bba25a4c57423431e3006d9d38d3c4a3f66be20e
Instruction ID: 36a022803fab10ddcf34a55bc40c8f5e513ca4e59af019d1c9a8bd97a8fe11ea
Opcode Fuzzy Hash: 6da38d3ffcaf0c250dada757bba25a4c57423431e3006d9d38d3c4a3f66be20e
Instruction Fuzzy Hash: 452128B1C003599FDB10DFAAC844BDEBBF5FF48310F108429E918A7250C7799544CBA5

Function 073E90C8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073E9146

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c71831f9a3871911bcf1abe0842f6929adba0f8dedba17cbe68537cf18ef4934
Instruction ID: 75ab9d800ab23047ceb3c1bdcbaccdd6f0c278daffd6be4fcc860e6a05da8d5e
Opcode Fuzzy Hash: c71831f9a3871911bcf1abe0842f6929adba0f8dedba17cbe68537cf18ef4934
Instruction Fuzzy Hash: 192129B1D003198FDB10DFAAC8857EEBBF5EF48720F148429D919A7240CB78A945CFA5

Function 0148D680 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0148D707

Memory Dump Source

Source File: 0000000B.00000002.1509703303.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1480000_zBzzGAdzqF.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a2a9a141e5b0fd697e4a1499e56135df2da1c6989ca671c8e94db7125324d230
Instruction ID: f3982952ea8e7b937c99fd2cb06d55f4e2ba04be1a65cb6ad64c3c826f60ce08
Opcode Fuzzy Hash: a2a9a141e5b0fd697e4a1499e56135df2da1c6989ca671c8e94db7125324d230
Instruction Fuzzy Hash: A121C4B5D012489FDB10DFAAD984ADEBBF9FB48310F14841AE914A3350D378A944CF65

Function 0148D679 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0148D707

Memory Dump Source

Source File: 0000000B.00000002.1509703303.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1480000_zBzzGAdzqF.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9b77b826bda5d584c51d34f21401a2f80053965225a3e421f6917db0761cc06c
Instruction ID: ac991618036e6de25cf92d2ca84a85395e99e161a4424f6d19ad6ce5e9691cd4
Opcode Fuzzy Hash: 9b77b826bda5d584c51d34f21401a2f80053965225a3e421f6917db0761cc06c
Instruction Fuzzy Hash: 0E21E2B5D002489FDB10DFAAD984ADEBBF5FB48320F14841AE918B3350D378A944CF60

Function 073E95D0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073E9646

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 32617e9569139f2ebf224ac19fcc32f9e0f0d04a43b6bdac31bbf75f5b06e6e7
Instruction ID: 8999189e830676bc18f9c8b7f3014d145e3e4c07cefdfeaa704ec85210974ac0
Opcode Fuzzy Hash: 32617e9569139f2ebf224ac19fcc32f9e0f0d04a43b6bdac31bbf75f5b06e6e7
Instruction Fuzzy Hash: 831147768002499FDB10DFAAD845BDEBBF5FF48720F14881AE519A7250CB79A540CFA1

Function 073E95D8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073E9646

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 38fe3c04f138ce3a6f8a25cde996fc387622bbd3c2739cd7423bb785e96eaf1d
Instruction ID: a772a4253fd2c5a27bdcedabc42141eed05ef1404f36a5114950c5d9211dae40
Opcode Fuzzy Hash: 38fe3c04f138ce3a6f8a25cde996fc387622bbd3c2739cd7423bb785e96eaf1d
Instruction Fuzzy Hash: 6C1126718003499FDB10DFAAC844BDEBBF5EF88720F14881AE919A7250CB79A544CFA5

Function 073E8BE0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073E8C42

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1a62f3dc4bcc6f8200a00565eedf9ab042e85f4c6e837462b5f1dd798712d76e
Instruction ID: 6ec279467b8a184184d1e557cac3276fd3c84d6df58d01538f99ca9bc553dd0e
Opcode Fuzzy Hash: 1a62f3dc4bcc6f8200a00565eedf9ab042e85f4c6e837462b5f1dd798712d76e
Instruction Fuzzy Hash: EE1128B1D003588BDB14DFAAD4457DEFBF9EF88720F248819D519A7240CB79A544CFA4

Function 073E8BD8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073E8C42

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 73a8a380e197660c44d26d726d7aa588e464d6bcb653c4db6a49367a5974cb56
Instruction ID: 376ce437f1116f66ad5bc6c7a5fb7e13f7070bef596d42f492b0f50b8b7a0ac0
Opcode Fuzzy Hash: 73a8a380e197660c44d26d726d7aa588e464d6bcb653c4db6a49367a5974cb56
Instruction Fuzzy Hash: DD1134B1D003498BDB24DFAAC5487DEFBF5AF88220F24881AD519A7250CB799544CFA4

Function 073ECA70 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 073ECAD5

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 29d7c2178abd7c9eba169fe0aee027ef6cfda23f2ede36087b986ddd056b8319
Instruction ID: 1eddd64f57d6caacbc4bd717b961cd895c803b9ceca15cc2faca7efe2555b79e
Opcode Fuzzy Hash: 29d7c2178abd7c9eba169fe0aee027ef6cfda23f2ede36087b986ddd056b8319
Instruction Fuzzy Hash: E511F5B58003599FDB10CF9AD845BDEFFF8EB48320F20841AD558A7641C379A544CFA5

Function 0148AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0148AFFE

Memory Dump Source

Source File: 0000000B.00000002.1509703303.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1480000_zBzzGAdzqF.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bbee5fa389042f807ef065f084a1003e911634220b2e37fde588fd565e7e4d68
Instruction ID: 9c7dbc4a5ea7b6912cb90b659a52ce26cc5d2da90081198be180564a67ebbae1
Opcode Fuzzy Hash: bbee5fa389042f807ef065f084a1003e911634220b2e37fde588fd565e7e4d68
Instruction Fuzzy Hash: D5110FB5C006498FDB24DF9AC444BDEFBF5EB88224F10841AD928A7220C379A545CFA1

Function 073EACAC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 073ECAD5

Memory Dump Source

Source File: 0000000B.00000002.1515134801.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_73e0000_zBzzGAdzqF.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 99d8b8a512fe07c66587bcd9813ad2917f3e536af3edc83ff2eae12a8dee6b85
Instruction ID: a0ab87a7f7764ba02f537b8ffe3f905bf5d80ce038f2c902ab9c6fabe949e25c
Opcode Fuzzy Hash: 99d8b8a512fe07c66587bcd9813ad2917f3e536af3edc83ff2eae12a8dee6b85
Instruction Fuzzy Hash: 8D11F5B58003599FDB10DF9AD449BEEBBF8EB48310F108819E918A7340C379A944CFA5

Function 010FD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1508195502.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10fd000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7927fb89333ff773b6803c55b9dd6d7adcea1f5150ab7cdcbb6109cc13dba8ad
Instruction ID: a562aabbbbe5bff1afe7871744dea8b8dd8ca3ac5e24d107f778ad86146dcdca
Opcode Fuzzy Hash: 7927fb89333ff773b6803c55b9dd6d7adcea1f5150ab7cdcbb6109cc13dba8ad
Instruction Fuzzy Hash: 1F210876504340DFDB45DF94D8C1B1ABBA5FB94324F20C5ADEA450B646C336D416CBA1

Function 010FD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1508195502.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10fd000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedaf83702c3f1907370bdaecfc826e47ff9e321ffbe84bcfa4bf7b8b8a49c58
Instruction ID: 0c4b65087711e8061cb3e4fccf42fb7bf34e9d15fb658e2ef3aad20a9a135f62
Opcode Fuzzy Hash: dedaf83702c3f1907370bdaecfc826e47ff9e321ffbe84bcfa4bf7b8b8a49c58
Instruction Fuzzy Hash: 2D2136B1500240DFDB05DF94D8C5F2ABFA1FB84718F20C1ADDA890B656C336D446CBA2

Function 0111D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1508276352.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_111d000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae22616d93b3fb5d9aada4b6d6231c553534fd36e871d61418830db5c59273e
Instruction ID: 2b673a65f155e652489b4e5156e0a5bc95db07a0914c6bc3701df00d24ff9d81
Opcode Fuzzy Hash: 7ae22616d93b3fb5d9aada4b6d6231c553534fd36e871d61418830db5c59273e
Instruction Fuzzy Hash: 4E210371504300AFDF09DF94E9C8B55FBA1FB84224F20C67DE8094B25AC33AD406CA62

Function 0111D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1508276352.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_111d000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05825b4a316eea62947c2cc5ec4e2be6080bb06eec133ccdb61f93e43692f83
Instruction ID: 3046f6cccad99aad5267e287fa0be04b43bb462bb0d431beba4d3a5a79f18e58
Opcode Fuzzy Hash: b05825b4a316eea62947c2cc5ec4e2be6080bb06eec133ccdb61f93e43692f83
Instruction Fuzzy Hash: 5C210075604300EFDF19DF94E888B16FB61FB84214F20C5BDD80A0B24AC33AD447CA62

Function 010FD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1508195502.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10fd000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788e04879303f038a4119c50adcc9150c8354023de2962495192c323b19cba65
Instruction ID: bb3f40cc26d10f773291c6199331a259b5ccf117751594e0abd398f5b6f4df28
Opcode Fuzzy Hash: 788e04879303f038a4119c50adcc9150c8354023de2962495192c323b19cba65
Instruction Fuzzy Hash: AD21DF76404240CFCB46CF44D9C4B16BFB2FB84324F24C1AADD480B656C33AD426CBA1

Function 010FD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1508195502.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10fd000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
Instruction ID: e328ff5dc70efc49b29dba94ff81322e7999a0bd6e1b0c3d55eb89669142a906
Opcode Fuzzy Hash: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
Instruction Fuzzy Hash: 3511DF72404280CFCB02CF54D5C4B16BFB2FB84718F24C6ADD9490B656C33AD45ADBA2

Function 0111D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1508276352.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_111d000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction ID: 143c19cb619fd346b515ff4af60bd2d699bef26c9cd20adce205cbb980245b4e
Opcode Fuzzy Hash: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction Fuzzy Hash: B7119075504280DFDB16CF54E5C8B15FF62FB44314F24C6A9D8494B65AC33BD44ACB62

Function 0111D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1508276352.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_111d000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction ID: c4ded9f54b11794d42865d527bbd07d03c8c46b3e6b4311edeb7199ac2c012c0
Opcode Fuzzy Hash: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction Fuzzy Hash: 3C11BB75504280DFCB06CF54D5C8B15FFA2FB84224F24C6A9D8494B69AC33AD44ACB62

Function 010FD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1508195502.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10fd000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492e74d72050b17ec4c4b859559409aa95653f386198abd638f7c277b6e6b21f
Instruction ID: 6c78260375ee63ed54de20585abfb6f7258bd7c3307e2fed665bfcdec53f9b2e
Opcode Fuzzy Hash: 492e74d72050b17ec4c4b859559409aa95653f386198abd638f7c277b6e6b21f
Instruction Fuzzy Hash: 2301F7710043849FF7115A95CD85B6ABBD8FF81620F14C55EEE480FA82E3399400CB72

Function 010FD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1508195502.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10fd000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db09fdf0678a87615df2d06d62bd9f43df0fa97329f59fe206cf266c2d48033
Instruction ID: 373e725ccb2bd2827960fa557d2b414ec31d0562b98baf29991da78d0b3ba20c
Opcode Fuzzy Hash: 8db09fdf0678a87615df2d06d62bd9f43df0fa97329f59fe206cf266c2d48033
Instruction Fuzzy Hash: D0F0C2314043849FE7118E19CC88B66FFD8EB81634F18C05AEE480F697D2799840CBB1

Analysis Process: zBzzGAdzqF.exePID: 7500, Parent PID: 2768COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	4

Executed Functions

Function 0179A968 Relevance: 3.1, Instructions: 3073COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89f7b9ed2f2e0541bf3de22810426f2a404aa477be732a6d750b797fb28e926
Instruction ID: 7dee078cbb1c49154d9b085c5f6741acb058f76ea88305f36798f624480b4c72
Opcode Fuzzy Hash: b89f7b9ed2f2e0541bf3de22810426f2a404aa477be732a6d750b797fb28e926
Instruction Fuzzy Hash: F6630B31D10B1A8ADB11EF68C8805ADF7B1FF99300F55D79AE4587B121EB70AAD4CB81

Function 01794A98 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5b1f7725e279b5565e929da3efbc92eb5b2f274135b843f431ee8e0ce2fd6d
Instruction ID: 3068df9b1afe36ea669c0baf5ca0db67c0367ab595435e7a1d3db5d798747d5b
Opcode Fuzzy Hash: cd5b1f7725e279b5565e929da3efbc92eb5b2f274135b843f431ee8e0ce2fd6d
Instruction Fuzzy Hash: C1B16170E002498FDF14CFA9E9857ADFBF2AF48714F148129D816E7354EB74988ACB85

Function 01793E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3dcbf1c395f46df78b99b1088cb1b948828af88a111d47b7c96f86e4befd40
Instruction ID: c3a9ff5371dc8d0b186a266954acf83439df745a54647c4cf8678718c1b3e71e
Opcode Fuzzy Hash: 7f3dcbf1c395f46df78b99b1088cb1b948828af88a111d47b7c96f86e4befd40
Instruction Fuzzy Hash: 07915E70E002098FDF14CFA9E9857AEFBF2BF88714F148129E415A7254EB74984ACB91

Function 05D5E960 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2700390099.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5d50000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246c5bdfb0231ebce13d61e0a5d39bb1753b88ebd256857854773de694ae054a
Instruction ID: f76d7205db6e8df80abf894cb6dab9659a7f23f8b644bbead2f4d822594a1e0e
Opcode Fuzzy Hash: 246c5bdfb0231ebce13d61e0a5d39bb1753b88ebd256857854773de694ae054a
Instruction Fuzzy Hash: 6641E332D043599FDB14DFBAD80469EBBF5EF89220F15856BD808A7340EB749885CBE0

Function 05D5E550 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05D5E9B2), ref: 05D5EA9F

Memory Dump Source

Source File: 0000000F.00000002.2700390099.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5d50000_zBzzGAdzqF.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ded1bab76d0826cefab45c581cc819bc9d36f81acdbd698488a86a6491dd0e8b
Instruction ID: e593f6365b69478d1e3a691ee8bf056326a0df2d7025ad122241d0f394a3e909
Opcode Fuzzy Hash: ded1bab76d0826cefab45c581cc819bc9d36f81acdbd698488a86a6491dd0e8b
Instruction Fuzzy Hash: 541117B1C006599BDB10DFAAC4447DEFBF9FF48220F14816AD818A7240D378A944CFA5

Function 05D5EA30 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05D5E9B2), ref: 05D5EA9F

Memory Dump Source

Source File: 0000000F.00000002.2700390099.0000000005D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5d50000_zBzzGAdzqF.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e151cc7d32adaeea43eab35a25fc8b09bae27e1b60d60a55ec09312a88f5dd87
Instruction ID: e8eb5e879942e9eb8e84ff7fd9784d9c05190fecf791040ae7a82d7fed4eeda6
Opcode Fuzzy Hash: e151cc7d32adaeea43eab35a25fc8b09bae27e1b60d60a55ec09312a88f5dd87
Instruction Fuzzy Hash: AE1136B1D106599BCB10DFAAC4487DEFBF5FF48220F14816AE818A7240D378AA41CFA5

Function 01798720 Relevance: .6, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defddb1e6c859d35b27a860c1feb7a644aaec3329666a881a9dd349401291b54
Instruction ID: f8c80fbd1d571207e51704e9704b27782cecf084a6321d4fce9d63413cdc9990
Opcode Fuzzy Hash: defddb1e6c859d35b27a860c1feb7a644aaec3329666a881a9dd349401291b54
Instruction Fuzzy Hash: 752253307012069BDB299B2CF89461D73E6FBCA314B544939D006CF755CF79EC8A8B92

Function 0179A1AA Relevance: .4, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfee92325393021eceac6465494ae7e344fba216c626e90196b4e62c32bf399
Instruction ID: 5b67e9a6b1474838961473d598b83b983674f10cee57ad7ac12ce04d1e7d6063
Opcode Fuzzy Hash: bcfee92325393021eceac6465494ae7e344fba216c626e90196b4e62c32bf399
Instruction Fuzzy Hash: 6CE18B34B012058FDF15CBACE994AADBBB2FB89310F24856AE506DB351DB34DC46CB90

Function 01794A90 Relevance: .3, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1358dfede354f02584cd6f2bbc55178d61a910aec4b9111b3159eaf6047e217
Instruction ID: dd38e02ce1e5e3107712b0931143ec7356dad64e3f7649258d39c40425e4a5ad
Opcode Fuzzy Hash: d1358dfede354f02584cd6f2bbc55178d61a910aec4b9111b3159eaf6047e217
Instruction Fuzzy Hash: 97A17C70E002498FDF10CFA9E9857ADFBF1BF48714F148129D81AA7254EB74988ACB91

Function 01793E74 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07f3a7094934e08468cbbe82848fb3339f4948357bdd1b982f4e9859e1dde51
Instruction ID: a12dc43eb574a87291411ccd8fd37eddbd0ee0196cf3d4e34fb1f200064f95de
Opcode Fuzzy Hash: a07f3a7094934e08468cbbe82848fb3339f4948357bdd1b982f4e9859e1dde51
Instruction Fuzzy Hash: 9CA15AB1E002099FDF10CFA9E9857DEFBF2BF48714F148129E415A7254EB34984ACB91

Function 01796ECF Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21de4c6e701e0cf5c2877cdd97fdda264d820603de60e2301ba3e631c95672db
Instruction ID: d9ff924ed4c695861e59bd36b7584fde39e325f0d33c423cdcfcdf94e43e6240
Opcode Fuzzy Hash: 21de4c6e701e0cf5c2877cdd97fdda264d820603de60e2301ba3e631c95672db
Instruction Fuzzy Hash: AD618E34A10205CFDF14DB68D558AADBBB6FF89700F2041A9E406EB7A1DB75DC48CBA1

Function 01794808 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466aac8b0a8745ba9c11941100333736bd974de7f663e97a01b0c8d75dfd3381
Instruction ID: e25445e848aa17c30c4cb3b389e0eaf1d55d15904227f85e04759ca649b2edc9
Opcode Fuzzy Hash: 466aac8b0a8745ba9c11941100333736bd974de7f663e97a01b0c8d75dfd3381
Instruction Fuzzy Hash: 86715E70D002498FDF14CFA9E984BDEFBF1EF48714F148129E416AB254DB78984ACB95

Function 01794810 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d395aee9a5d3bd5f8545f6eb338436bf26771a00ed9f54ffc3ce5165542bd22
Instruction ID: 02ff756cd1aa0cc0a393cbd862e560a8832514e6e67a686e16bff94561873b11
Opcode Fuzzy Hash: 2d395aee9a5d3bd5f8545f6eb338436bf26771a00ed9f54ffc3ce5165542bd22
Instruction Fuzzy Hash: 69716F70E003498FDF14CFA9D984B9EFBF2EF48714F148129E416A7254EB789846CB95

Function 01796CD4 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c36082bafa7e04b828eaeeb151c65003e62d83d0a9fd3ab78ed1582640ab22
Instruction ID: 5c521b33a4dae9134e1b15e9c98499ab496b22bf8a05c894b5a5b3cecbf1dc1c
Opcode Fuzzy Hash: 81c36082bafa7e04b828eaeeb151c65003e62d83d0a9fd3ab78ed1582640ab22
Instruction Fuzzy Hash: 7F511374D102188FDF18CFA9D888B9DFBB1FF48714F148219E819AB355D774A888CB95

Function 0179A6C8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb96cf49197f80d1e829f6a83308e8946fdb241c8a749a469222efc5fa1122a
Instruction ID: 63f86e65927903053e97a7089294e15cc2635c3c204938e8cbefe3131a5add8b
Opcode Fuzzy Hash: 7bb96cf49197f80d1e829f6a83308e8946fdb241c8a749a469222efc5fa1122a
Instruction Fuzzy Hash: B9513875A01204DFDB04DFA9E884B99FBB2FF88310F14C2AAE9089B355E7709845CB90

Function 01796CE0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9212a550c2fbcab3c6c1c93b5ecf7019a55000be83c88cdc193e5d02982364cd
Instruction ID: a7b489756e937dc51befe43243c329ab044511253b51b46d897e1a150c078b0e
Opcode Fuzzy Hash: 9212a550c2fbcab3c6c1c93b5ecf7019a55000be83c88cdc193e5d02982364cd
Instruction Fuzzy Hash: 3351E370D102188FDF18CFA9D898B9EFBB1FF48714F148219E819AB355D774A888CB95

Function 01791138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3634288de9c1183bf70adb390b4e2205c3942cde82cc8de001640a9dd0322a
Instruction ID: f00b4f34eb63a145eec15538305bdf734aaf5a565105f0c52ae6eb5cdaedc9fd
Opcode Fuzzy Hash: 3e3634288de9c1183bf70adb390b4e2205c3942cde82cc8de001640a9dd0322a
Instruction Fuzzy Hash: 93510AB02122428FDB09EF28F9C4D583B7AF7D170470486BDD5056BA26EB3E6D05CB86

Function 01791137 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897fef7d9ea0daa815062fdc91c12608d6f47bfa68ddb6fb72153f36678ffd22
Instruction ID: 3eec1c080d84636efa5307c746542dce8ee23ebe6f31c47f61fed025d5b2b10e
Opcode Fuzzy Hash: 897fef7d9ea0daa815062fdc91c12608d6f47bfa68ddb6fb72153f36678ffd22
Instruction Fuzzy Hash: DB510CB02122428FDB09EF28F9C4D583B76F7D170470486BDD5056BA26EB3E6D05CB86

Function 0179DE6A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48031d25890b9c881dc17139aba84af9de2a7dd4355f2d580a6ec61e9dc13f42
Instruction ID: c044a5ff4854b8cb2f81441ad8c0a8bacc14fe0d8a13d34a6d5613b0f9b03258
Opcode Fuzzy Hash: 48031d25890b9c881dc17139aba84af9de2a7dd4355f2d580a6ec61e9dc13f42
Instruction Fuzzy Hash: 97315A75B00615EFD705CB69D890E7AB77AFBC8700F54C168E4029B299CB36EC42DBA0

Function 01797D80 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860ce184cd63f30ba34f31c8056139956dc43187e5a8ef491a11b02b122e0a13
Instruction ID: caaff70cce18e12dbbaf781628fa1cbd50150d9ccfe8a2bef1c471b201fc0347
Opcode Fuzzy Hash: 860ce184cd63f30ba34f31c8056139956dc43187e5a8ef491a11b02b122e0a13
Instruction Fuzzy Hash: 92315E31E206099BDF29DFA9D8547AEF7B2FF89700F108529E405FB241E7749985CB50

Function 01797D90 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f53e25cb6421f538b311c3841aa8795c06b76b56efc37a8402bb9bc4a2cba8
Instruction ID: 53451c0dd9ea356df331e98c661750ecc86943236da761aeac2b975b48d8558d
Opcode Fuzzy Hash: 77f53e25cb6421f538b311c3841aa8795c06b76b56efc37a8402bb9bc4a2cba8
Instruction Fuzzy Hash: 01313C31E202099BDF19DFA9E4547AEF7B2FF89710F608529E505FB240EB70A9858B50

Function 017926DC Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56d85d60b348c8b4a48acb8a0a7b64a5cc367d5c1dc586f2c4c1a85ec13e290
Instruction ID: 8db130c628aa8729f6a73f565a2e4ec571c2a700dca36d960f9c0cc4a24fafa2
Opcode Fuzzy Hash: d56d85d60b348c8b4a48acb8a0a7b64a5cc367d5c1dc586f2c4c1a85ec13e290
Instruction Fuzzy Hash: 5E41EF74900749EFDF14DF99D884A9EFBF5FF48314F148029E809AB250DB75A949CB90

Function 01795097 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c86ca6600a02df0811a850c1805edc897825816812c7fdfd4d054344c5258b
Instruction ID: 29aead50e6bc23c5ae756235b00de42bf2376d5704d5a4c0e0bf81d94abd3ffb
Opcode Fuzzy Hash: f2c86ca6600a02df0811a850c1805edc897825816812c7fdfd4d054344c5258b
Instruction Fuzzy Hash: F0313E74700226CFDF1AEF78E5546ADBBB6AF49240F1005B9D501AB354DB3ADC05CB91

Function 017926E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0733b24970f6ed8c763a641d69842acc10bc4d67d0e21ae9be61de3c56592c
Instruction ID: 878454abb62ed2f5cbb437a5d203693b0cba93ef2382ceb851850f2e58be1a47
Opcode Fuzzy Hash: 4a0733b24970f6ed8c763a641d69842acc10bc4d67d0e21ae9be61de3c56592c
Instruction Fuzzy Hash: 2341EEB4D00348AFDB14DFA9D884ADEBBF5EF48314F148429E809AB254DB75A949CB90

Function 017950A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64fd95fcad86ceecb1d1be6f1ca97d7d86d8e8100b41781d9c91f9cb87efba2
Instruction ID: 66d2e47a4aaa83ffbec20b80d90e9084520ccc8485de99d2e8a67e27a336ca73
Opcode Fuzzy Hash: d64fd95fcad86ceecb1d1be6f1ca97d7d86d8e8100b41781d9c91f9cb87efba2
Instruction Fuzzy Hash: B2314E74700225CFDF19EB78E9546AEB7B6AF88240F5004BDD501AB394DB3ADC45CB91

Function 0179A068 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910faa6c15eac3221b3641906f33b679786264599a350a3a9bb3b954c9daa8a9
Instruction ID: caa07c7a1d10ae2378c2922a7f07001db97f9ed6c0d131c2cecdb2074f33d968
Opcode Fuzzy Hash: 910faa6c15eac3221b3641906f33b679786264599a350a3a9bb3b954c9daa8a9
Instruction Fuzzy Hash: 9731A274A0524A9BDF15CF6CD85479EFBB2FF89300F10C629E805AB341EB75A845CB90

Function 0179169F Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76c92c4226ec977f2b25d91f6ec6f19b3eb072900d8113803f9358658987fe1
Instruction ID: 6163639ede563b170edb6a4463bd2278e3d3db9b373e3e9d9ba7585061525974
Opcode Fuzzy Hash: f76c92c4226ec977f2b25d91f6ec6f19b3eb072900d8113803f9358658987fe1
Instruction Fuzzy Hash: 97218030A002029BDF21EF6CF884B6D77A9EB85724F504975D406CB656DB3CEC598B92

Function 0179A078 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad28419c5054acfe23c21e6618071694548d055792fd3c5ff2731bbc7c7484dc
Instruction ID: 8fe63f6ce4f00cd2820aec172934aa11edbb3eb602da11f723a728d331782606
Opcode Fuzzy Hash: ad28419c5054acfe23c21e6618071694548d055792fd3c5ff2731bbc7c7484dc
Instruction Fuzzy Hash: 20216574E0124A9BDF15CF6CD89069EFBB2FF89300F50862AE805AB341EB759C45CB50

Function 01799F68 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf65f37a984d7467a7b06ab401019db1e16d7ff19df58b0084e0d3d3ebf1a64
Instruction ID: 2736b0b50c8d604be8bc08ff08de9dcd9be9bc10bbb006c60f39b7c1461ac132
Opcode Fuzzy Hash: baf65f37a984d7467a7b06ab401019db1e16d7ff19df58b0084e0d3d3ebf1a64
Instruction Fuzzy Hash: 17218135E102099BDF19CFA8D45069EF7B2EF89310F60861AF916BB341EB70A849CB51

Function 01791878 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e9ec843c2c9601cd330e069475da7cbc499c4cf8de0e794c82b3305c4250eb
Instruction ID: fca3bcf26ac15e2ece85b7a9c695795ac10696d985231ff75e083f4412f5129a
Opcode Fuzzy Hash: 06e9ec843c2c9601cd330e069475da7cbc499c4cf8de0e794c82b3305c4250eb
Instruction Fuzzy Hash: D8217C30B00246CFEF14DB78D5156AEBBF2AF49220F5005A8D506EB390DB3A9C14DBA1

Function 0179A860 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549e34c0b676ca1e1aec0d362ae77e9f13ba3dea6f2e296f5097c4a6ca7319a8
Instruction ID: 970b539b6460fcfb42ab2f6dca5aac80667f1a66fbe11cb446219aa886778a14
Opcode Fuzzy Hash: 549e34c0b676ca1e1aec0d362ae77e9f13ba3dea6f2e296f5097c4a6ca7319a8
Instruction Fuzzy Hash: 0B21C275B402048FEF14DB6DD854BAEBBF6FF88724F118169E505EB3A4DA718D048B90

Function 0179A854 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca939953e45010e74c474428105fabfc35b33d26b5e8793fb08820c61e6a036
Instruction ID: d41dc98b0e5476b9b9bab9fa28db35e6ff19a5fcf7f33f9641e2999b52652546
Opcode Fuzzy Hash: 1ca939953e45010e74c474428105fabfc35b33d26b5e8793fb08820c61e6a036
Instruction Fuzzy Hash: 4E21B075B511048FEF15DB68D958BAEB7F6BF88720F158069E405EB3A4DA718C088B90

Function 01794F8C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ccc8b4ae2e55ea8e27f3dcf684188b8e26806386df61cd5e3066b04582ac413
Instruction ID: 5d52abdf79975651bb804b059fe37b8caad1750b73d4faa45614158aebc553f6
Opcode Fuzzy Hash: 1ccc8b4ae2e55ea8e27f3dcf684188b8e26806386df61cd5e3066b04582ac413
Instruction Fuzzy Hash: CF21F374700215CFDB58DF78D558AADB7F6BB89200F1040A9E40AEB364DB36AD05CB91

Function 013BD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2687134865.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13bd000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b3c0af62e9e1cd235d357622d104f99a07dc94e46c49402c9ddedb2e8502fa
Instruction ID: 5ee6d3cb9c3fe3100648e3af873d03f598926881aff178580200abf4f1e20088
Opcode Fuzzy Hash: 88b3c0af62e9e1cd235d357622d104f99a07dc94e46c49402c9ddedb2e8502fa
Instruction Fuzzy Hash: 982100B1504304DFDB15DF94D9C0B66BBA5FB8421CF20C569DA090AA56D33AD446CA62

Function 01791888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860df76ba53b60c8e72bc66cd3482ae7d157c8587986807bb1995709ba69c30e
Instruction ID: 24cc5176583effdf26e114930cb713c02982e5bc0ca8e5e2ad4d3e1447c40d6d
Opcode Fuzzy Hash: 860df76ba53b60c8e72bc66cd3482ae7d157c8587986807bb1995709ba69c30e
Instruction Fuzzy Hash: BB216030B00246CFDF14EB78D5257AEBBF6AB49260F500478D506EB354DB3A9C14CBA1

Function 01799F78 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e7ab837fe54720559beb1386e3905c9e97959d2639bd28e929092405a04a6c
Instruction ID: 7f7095f0b451a953299929fac96aa27a25fa69f6d02696e6e412e5fb580c2746
Opcode Fuzzy Hash: d6e7ab837fe54720559beb1386e3905c9e97959d2639bd28e929092405a04a6c
Instruction Fuzzy Hash: 3E216230E102099BDF19CFA8D49069EF7B6FF89310F50861AE915FB341EB70A845CB50

Function 0179138C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298ded1779bb66c30eee3f5480f85b0e21633020e07f6f855d70d552f048da05
Instruction ID: 6c1e188ba5fdf346a9004efa734c1a1a9b6049e35630d872281908e8ab0a0d14
Opcode Fuzzy Hash: 298ded1779bb66c30eee3f5480f85b0e21633020e07f6f855d70d552f048da05
Instruction Fuzzy Hash: 5D2166706002029BEF36972CF48872DB6F5F74A335F904839E507DB795DB29D8998782

Function 017916B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1900e65299b92e71a1cb6d5c00a432004829b9b63eb4a712b74299cb2b9b2822
Instruction ID: 281129f3eab27a16de2f4490f99ba1c6f0a5c12fe890bb744e48b185fd7eeace
Opcode Fuzzy Hash: 1900e65299b92e71a1cb6d5c00a432004829b9b63eb4a712b74299cb2b9b2822
Instruction Fuzzy Hash: 1C216F306002028BEF21EF6CF884B1D77A9E7C5B24F504975D406CBA56DB3CEC598B92

Function 01794F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731893f7e4305164bcdc5f982b2a222552f98177d37855892ca3ea3d1eb00289
Instruction ID: 40892449c056184415236bef41e4a9ca2035aafba372bb3201bba0e77a0e9591
Opcode Fuzzy Hash: 731893f7e4305164bcdc5f982b2a222552f98177d37855892ca3ea3d1eb00289
Instruction Fuzzy Hash: 60211674700215CFDB18DF78D558AADB7F6AB89300F1000A8E506EB3A4DB36AD04CB91

Function 01790838 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eadf73db0db59b2763462ceffa21e336a58b5abff1b65b258331df8b75c8066d
Instruction ID: 8050f5bcc105a10579e34daa5211aad4763efc5bf5bdaa0b3f51d1cf4edc69e6
Opcode Fuzzy Hash: eadf73db0db59b2763462ceffa21e336a58b5abff1b65b258331df8b75c8066d
Instruction Fuzzy Hash: AB11CB307543044FEF66667CA850B2AB76DFB96224F1448BAF402CF243D629CC898BD1

Function 01790848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775ee544977dd42ecc2ce45bb7e5778dfdea2393303dd0db670c585db825a37f
Instruction ID: 8dcb918c9333e39e9d45d770e9af6920c2ca6e9a2103babb6ed46f4f4914b822
Opcode Fuzzy Hash: 775ee544977dd42ecc2ce45bb7e5778dfdea2393303dd0db670c585db825a37f
Instruction Fuzzy Hash: A0117730B503084BEF65AA7DE844B29B2ADFB85625F104979F006CF352DB79DC898BC1

Function 01796B98 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7bc81bb4d3bdbdf0e0de07a985964964de43a8e6b7d64307ca9eee6d3e6a1e
Instruction ID: 076c513061087c99ca4797f2c5fdcf88d300708acadffb346da74db4ce42b85e
Opcode Fuzzy Hash: cd7bc81bb4d3bdbdf0e0de07a985964964de43a8e6b7d64307ca9eee6d3e6a1e
Instruction Fuzzy Hash: 2C1104306087849FC726AB7C982015EBFF6EF8B310B1545AED045DB692EB399C04C7A2

Function 017917C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aefbf99949cd8784de95692ded59fee3a67f20b8f8705f69b1ed38a0e3be443
Instruction ID: 82d0e3e6543b06567f7133bba42f1a23942ee6b111ed9d5c4b141a2fad68974d
Opcode Fuzzy Hash: 9aefbf99949cd8784de95692ded59fee3a67f20b8f8705f69b1ed38a0e3be443
Instruction Fuzzy Hash: 6711E3B6B003068FCF20ABB9A84466FBBE5EB49670F504479E506E7344EB35C8158792

Function 01791488 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3090d860a13c7fe33f254909679bd5bc03b33e4a06af2154f8d38c1f7023d56a
Instruction ID: 1471f167011878aa4f796dc477d6cac196424793767df25287d2d1dbb8f99a52
Opcode Fuzzy Hash: 3090d860a13c7fe33f254909679bd5bc03b33e4a06af2154f8d38c1f7023d56a
Instruction Fuzzy Hash: 33118231A003179BCF21EFBCA45416DBBB5EB58230B6504B9E80AD7246E735C9558BD1

Function 0179A6B8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68fb109ad10146b3ba480090e8a6f24deeaf98962d5cd61cd5ee641f776318c8
Instruction ID: a6c18af2f8bd4779819dc1a3d3efebcb455353446a8328e15579f394bbc7ee30
Opcode Fuzzy Hash: 68fb109ad10146b3ba480090e8a6f24deeaf98962d5cd61cd5ee641f776318c8
Instruction Fuzzy Hash: 7B110231A053048FDB05DF68EC44A8ABFB5FF96310F5581AAC8085F296E770DC09CBA2

Function 013BD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2687134865.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13bd000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction ID: 0e0dd8747b40b681931c84f0458ca3a9be76b86106556ad1f2a40d385337353b
Opcode Fuzzy Hash: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction Fuzzy Hash: 1B11BB75504284CFCB12CF54D9C4B15BFA2FB84318F28C6AAD9494BA56C33AD44ACB62

Function 01791498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d2b96a773b78930d627e95c3800986806fdfda2d609657f7ff6022836f0c49
Instruction ID: 5c887a93e1b9d1222d3051f4796e167bc4023804e0405adf4fa41251e048b8d7
Opcode Fuzzy Hash: a0d2b96a773b78930d627e95c3800986806fdfda2d609657f7ff6022836f0c49
Instruction Fuzzy Hash: A4018031A002169BCF21EFB8A4541AEFBFAEB58220B650479D809E7301E735C945CBD1

Function 0179A6C5 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114b3cd695e076eb3890bfa059683ece28356a132721ad5695fc9a5d50a330c7
Instruction ID: a8955e4a67a4414377d54621baecbfa07ca6009937a1340a2d2a55dd426c2fd0
Opcode Fuzzy Hash: 114b3cd695e076eb3890bfa059683ece28356a132721ad5695fc9a5d50a330c7
Instruction Fuzzy Hash: FC01B535A002048BDF04DF98D985B9ABB75FF84311F54C564C80C6F295EB70DD05CBA1

Function 01798F08 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae23999ec1f818c0e9001badc92de8a21ed1e7c7f8988ab2571758a8a5a0ed5
Instruction ID: cc301fdedc15bc51cb2b7c156f43606324b1893fbe4f3c1572c2d47858389abf
Opcode Fuzzy Hash: 6ae23999ec1f818c0e9001badc92de8a21ed1e7c7f8988ab2571758a8a5a0ed5
Instruction Fuzzy Hash: 69017130900209EFCB45EFA8EC60A9D7BF5FF81700B5045B9C404AB250EB386F45ABA1

Function 01791524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057b8e862e9cd2ca37c83a89bd0fb880f81715844a48f52ce19d813b463b7bc7
Instruction ID: a5d6b10517ae272eacb3384015a20ea7331f326c40898fe8e5c908085a23e9f7
Opcode Fuzzy Hash: 057b8e862e9cd2ca37c83a89bd0fb880f81715844a48f52ce19d813b463b7bc7
Instruction Fuzzy Hash: E0F02B33A04111CFDF22CBA8A4941ACFFB1FA681317AE40D7D846DB211D325D51ACB51

Function 01797EA8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e123b120dd211a48b1313eb4c0d421ec0b23bd8fba36fbcfdbe6da910a430b70
Instruction ID: 3b2a8a5cb6daf0aaf07efdc9ee0f1e487f3c0249b20e211e223dfaa676413999
Opcode Fuzzy Hash: e123b120dd211a48b1313eb4c0d421ec0b23bd8fba36fbcfdbe6da910a430b70
Instruction Fuzzy Hash: 44F0C435B40514CFCB14DB68D598B6D77F2EF89721F2084A8E5069B3A4DB35AD02DF50

Function 01798F18 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2689036900.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1790000_zBzzGAdzqF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b25cf15dfc65e9605a85da444ce4eda4357c68469cc1daa4ec7765b25089634
Instruction ID: 63cfb441d224df2d31feee5c73a105e4d95aa769c7fe7f3da1dfa6936a9a570a
Opcode Fuzzy Hash: 5b25cf15dfc65e9605a85da444ce4eda4357c68469cc1daa4ec7765b25089634
Instruction Fuzzy Hash: 70F0EC30910209EFDB44EFA8ED90A9D7BB5FF80B04F504A79C405AB650EB396F45AB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Telco 32pcs New Purchase Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Telco 32pcs New Purchase Order.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zBzzGAdzqF.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_432uztg2.dii.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qeyzlb4.2uh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xz2eenz.tcz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvm4nvtf.0f2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5sra2fq.eff.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4k1gxl0.mbg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_szz10lyr.bj1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_udh5n3ix.poz.psm1

C:\Users\user\AppData\Local\Temp\tmp4878.tmp

Windows Analysis Report
Telco 32pcs New Purchase Order.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre