Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO F1298-24 Fabric Order.exe

Overview

General Information

Sample name:PO F1298-24 Fabric Order.exe
Analysis ID:1541083
MD5:2ce31411b27c3fcdf0bfb5e56a784584
SHA1:5afa11934390d52249dc138853922e64dcfaa528
SHA256:473c91688591c4649ea77e07c95d77ecb87fbb22e060a9e1f4540af522d59ff5
Tags:AgentTeslaexeuser-TeamDreier
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Disables UAC (registry)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses SMTP (mail sending)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO F1298-24 Fabric Order.exe (PID: 2452 cmdline: "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" MD5: 2CE31411B27C3FCDF0BFB5E56A784584)
    • powershell.exe (PID: 1200 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 4708 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 5512 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 6164 cmdline: C:\Windows\system32\WerFault.exe -u -p 2452 -s 1604 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3351887667.0000000002FBE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000004.00000002.3345081837.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000002.3345081837.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2331410579.000001856CE42000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                4.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x334cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3353d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x335c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33659:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x336c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33735:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x337cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3385b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.PO F1298-24 Fabric Order.exe.1856ce7d3c0.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.PO F1298-24 Fabric Order.exe.1856ce7d3c0.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe", ParentImage: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe, ParentProcessId: 2452, ParentProcessName: PO F1298-24 Fabric Order.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -Force, ProcessId: 1200, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe", ParentImage: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe, ParentProcessId: 2452, ParentProcessName: PO F1298-24 Fabric Order.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -Force, ProcessId: 1200, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 4708, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe", ParentImage: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe, ParentProcessId: 2452, ParentProcessName: PO F1298-24 Fabric Order.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -Force, ProcessId: 1200, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}
                    Multi AV Scanner detection for submitted file
                    Source: PO F1298-24 Fabric Order.exeReversingLabs: Detection: 52%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: PO F1298-24 Fabric Order.exeJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO F1298-24 Fabric Order.exe PID: 2452, type: MEMORYSTR
                    Source: PO F1298-24 Fabric Order.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb0 source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdbq1 source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Management.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Management.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Core.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Core.pdb& source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER6BA7.tmp.dmp.8.dr
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 46.175.148.58:25
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: RegAsm.exe, 00000004.00000002.3351887667.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2331410579.000001856CE42000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3345081837.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ce7d3c0.4.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ce7d3c0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ce7d3c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: PO F1298-24 Fabric Order.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02DF93784_2_02DF9378
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02DF4A984_2_02DF4A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02DF9B384_2_02DF9B38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02DF3E804_2_02DF3E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02DFCDB04_2_02DFCDB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02DF41C84_2_02DF41C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_064656E04_2_064656E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06463F504_2_06463F50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0646BD084_2_0646BD08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0646DD184_2_0646DD18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06469AE84_2_06469AE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06462B004_2_06462B00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06468BA04_2_06468BA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_064600404_2_06460040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_064632504_2_06463250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_064650004_2_06465000
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2452 -s 1604
                    Source: PO F1298-24 Fabric Order.exeStatic PE information: No import functions for PE file found
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2331410579.000001856C267000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewStb.exe4 vs PO F1298-24 Fabric Order.exe
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000000.2093564112.000001855A406000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNewStb.exe4 vs PO F1298-24 Fabric Order.exe
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2331410579.000001856CE42000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO F1298-24 Fabric Order.exe
                    Source: PO F1298-24 Fabric Order.exeBinary or memory string: OriginalFilenameNewStb.exe4 vs PO F1298-24 Fabric Order.exe
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ce7d3c0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ce7d3c0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: PO F1298-24 Fabric Order.exe, .csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@9/10@1/1
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2452
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_au4vegts.fju.ps1Jump to behavior
                    Source: PO F1298-24 Fabric Order.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: PO F1298-24 Fabric Order.exeReversingLabs: Detection: 52%
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeFile read: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe"
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2452 -s 1604
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: PO F1298-24 Fabric Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PO F1298-24 Fabric Order.exeStatic file information: File size 3415639 > 1048576
                    Source: PO F1298-24 Fabric Order.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb0 source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdbq1 source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Management.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Management.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Core.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Core.pdb& source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.ni.pdb source: WER6BA7.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER6BA7.tmp.dmp.8.dr

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: PO F1298-24 Fabric Order.exe PID: 2452, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL0UEZ
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeMemory allocated: 1855A770000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeMemory allocated: 18574260000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeMemory allocated: 1857C920000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 13D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4F70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sysJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sysJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeFile opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sysJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7065Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2725Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7111Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7160Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep count: 32 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6408Thread sleep count: 2725 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -99859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6408Thread sleep count: 7111 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -99749s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -99640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -99531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -99422s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -99313s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -99203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -99094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -98984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -98803s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -98609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -98448s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -98297s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -98172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -98062s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -97953s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -97843s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -97734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -97622s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -97516s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -97393s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -97281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -97172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -97047s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -96938s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -96813s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -96703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -96594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -96469s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -96359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -96250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -96141s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -96031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -95922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -95812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -95703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -95594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -95469s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -95359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -95250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -95141s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -95031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -94922s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -94813s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -94688s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -94563s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -94453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -94344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -94219s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -94109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7116Thread sleep time: -94000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99749Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98803Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98448Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97622Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97393Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94000Jump to behavior
                    Source: Amcache.hve.8.drBinary or memory string: VMware
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUP
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
                    Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREP
                    Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareP
                    Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
                    Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIP
                    Source: RegAsm.exe, 00000004.00000002.3375570384.0000000006260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
                    Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: PO F1298-24 Fabric Order.exe, 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: PO F1298-24 Fabric Order.exe, .csReference to suspicious API methods: GetProcAddress(, )
                    Source: PO F1298-24 Fabric Order.exe, .csReference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)array.Length, (uint)(int)., out var )
                    Source: PO F1298-24 Fabric Order.exe, .csReference to suspicious API methods: LoadLibrary([.ToInt32()])
                    Source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, zOS.csReference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -Force
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -ForceJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E99008Jump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeQueries volume information: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Disables UAC (registry)
                    Source: C:\Users\user\Desktop\PO F1298-24 Fabric Order.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                    Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO F1298-24 Fabric Order.exe.1856ce7d3c0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO F1298-24 Fabric Order.exe.1856ce7d3c0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.3351887667.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3345081837.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2331410579.000001856CE42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3351887667.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO F1298-24 Fabric Order.exe PID: 2452, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4708, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO F1298-24 Fabric Order.exe.1856ce7d3c0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO F1298-24 Fabric Order.exe.1856ce7d3c0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.3345081837.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2331410579.000001856CE42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3351887667.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO F1298-24 Fabric Order.exe PID: 2452, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4708, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO F1298-24 Fabric Order.exe.1856ce7d3c0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO F1298-24 Fabric Order.exe.1856ceb7e08.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO F1298-24 Fabric Order.exe.1856ce7d3c0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.3351887667.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3345081837.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2331410579.000001856CE42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3351887667.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO F1298-24 Fabric Order.exe PID: 2452, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4708, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		21
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		341
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		261
                    Virtualization/Sandbox Evasion                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
                    Process Injection                    		1
                    Credentials in Registry                    		261
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		11
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Deobfuscate/Decode Files or Information                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		Protocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials24
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PO F1298-24 Fabric Order.exe53%ReversingLabsWin64.Trojan.AntiSandbox
                    PO F1298-24 Fabric Order.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://upx.sf.netAmcache.hve.8.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://account.dyn.com/PO F1298-24 Fabric Order.exe, 00000000.00000002.2331410579.000001856CE42000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3345081837.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://mail.iaa-airferight.comRegAsm.exe, 00000004.00000002.3351887667.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        46.175.148.58
                        		mail.iaa-airferight.comUkraine
                        		56394ASLAGIDKOM-NETUAtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1541083
                        Start date and time:2024-10-24 11:55:11 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 27s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:12
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:PO F1298-24 Fabric Order.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.expl.evad.winEXE@9/10@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 60
                        • Number of non-executed functions: 3
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 52.182.143.212
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.
                        • VT rate limit hit for: PO F1298-24 Fabric Order.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        05:56:13API Interceptor186x Sleep call for process: RegAsm.exe modified
                        05:56:13API Interceptor18x Sleep call for process: powershell.exe modified
                        05:56:30API Interceptor1x Sleep call for process: WerFault.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        46.175.148.58PO F1298-24 Fabric Order.zipGet hashmaliciousAgentTeslaBrowse
                          PO 316347 24MIA00660067.exeGet hashmaliciousAgentTeslaBrowse
                            Purchase Order For Linear Actuator.exeGet hashmaliciousAgentTeslaBrowse
                              PO FOR CONNECTOR WITH TERMINAL.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                New PO-Auras Demand.exeGet hashmaliciousAgentTeslaBrowse
                                  SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exeGet hashmaliciousAgentTeslaBrowse
                                    New Purchase Order 568330.exeGet hashmaliciousAgentTeslaBrowse
                                      SecuriteInfo.com.Win32.PWSX-gen.20380.30925.exeGet hashmaliciousAgentTeslaBrowse
                                        rrpC2ZDgUd.exeGet hashmaliciousAgentTeslaBrowse
                                          92ZZIUHzPQ.exeGet hashmaliciousAgentTeslaBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            mail.iaa-airferight.comPO F1298-24 Fabric Order.zipGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            PO 316347 24MIA00660067.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Purchase Order For Linear Actuator.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            PO FOR CONNECTOR WITH TERMINAL.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                            • 46.175.148.58
                                            New PO-Auras Demand.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            New Purchase Order 568330.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            SecuriteInfo.com.Win32.PWSX-gen.20380.30925.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            rrpC2ZDgUd.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            92ZZIUHzPQ.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            ASLAGIDKOM-NETUAPO F1298-24 Fabric Order.zipGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            PO 316347 24MIA00660067.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            Purchase Order For Linear Actuator.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            PO FOR CONNECTOR WITH TERMINAL.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                            • 46.175.148.58
                                            New PO-Auras Demand.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            New Purchase Order 568330.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            SecuriteInfo.com.Win32.PWSX-gen.20380.30925.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            rrpC2ZDgUd.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58
                                            92ZZIUHzPQ.exeGet hashmaliciousAgentTeslaBrowse
                                            • 46.175.148.58

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PO F1298-24 Fabr_697bf1cfe728f851d8e751bad862896dd0f1c69_57bd0835_fad05113-fe59-4ec5-9ada-2e05d5fb69b6\Report.wer

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):65536
                                            Entropy (8bit):1.232640067576066
                                            Encrypted:false
                                            SSDEEP:192:dY1Vo80UnUFaWh8U3eZYdzuiFGZ24lO8L:uHo3UnUFau8JYzuiFGY4lO8L
                                            MD5:72AC3099E0956ED809DF1C2DF912CE16
                                            SHA1:3B1C40ED17FE6738764DBFE383627D8DD3D51EA4
                                            SHA-256:186268BEEA8EAE094A305D050A1C0AEB40DB57FAB13FBF4AD67585CD5AC620EE
                                            SHA-512:DB60A95B2E8865C5B657F5C15FDCE0F24446F066904644DA8A4B458EE8E2C01D9479E415E0C69AB74A53793B7CC890CA68BCF5A9321C4D4B1C42C0B2CA4DC2BB
                                            Malicious:false
                                            Reputation:low
                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.2.3.7.3.7.2.5.0.6.1.5.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.2.3.7.3.7.3.5.0.6.1.4.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.d.0.5.1.1.3.-.f.e.5.9.-.4.e.c.5.-.9.a.d.a.-.2.e.0.5.d.5.f.b.6.9.b.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.7.5.c.3.a.8.-.6.5.7.1.-.4.8.e.f.-.b.6.3.9.-.3.1.3.1.6.a.0.8.f.0.9.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.P.O. .F.1.2.9.8.-.2.4. .F.a.b.r.i.c. .O.r.d.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.N.e.w.S.t.b...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.9.4.-.0.0.0.1.-.0.0.1.4.-.e.7.5.8.-.2.f.f.2.f.a.2.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.5.e.f.1.c.7.6.a.a.5.a.a.2.5.3.a.8.4.0.1.c.c.d.b.d.c.0.4.e.b.d.0.0.0.0.0.0.0.0.!.0.0.0.0.5.a.f.a.1.1.9.3.4.3.9.0.d.5.2.2.4.9.d.c.1.3.8.8.5.3.9.2.2.e.6.4.d.c.f.a.a.5.2.

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BA7.tmp.dmp

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:Mini DuMP crash report, 16 streams, Thu Oct 24 09:56:13 2024, 0x1205a4 type
                                            Category:dropped
                                            Size (bytes):478385
                                            Entropy (8bit):3.2903801579008514
                                            Encrypted:false
                                            SSDEEP:3072:i5zVZeFG/cJcSxzHUSs4o8Axubo+1CCqBspPlBLFuGx3+vEpwQB4WjO:yQx7u4JqBMv3QEpwUXj
                                            MD5:352EBF913FD074B662F16E9C70814E10
                                            SHA1:E9A509850434B098D062D403836B988F042B526C
                                            SHA-256:633BABDAF7B2879E3A62F8DCCF8AEEC1E7A93F7760FFA0A2A8DA6C98915AF64F
                                            SHA-512:61073E225875863678CE71FC5D1EEBE189701A9F1B285E3D8C6C8CF58F722B75A7F9AFBD2E63F81698B6189CA3D668E67698B558959699FB1C302F74D59ED971
                                            Malicious:false
                                            Reputation:low
                                            Preview:MDMP..a..... ..........g............t.......................$...d(......$ ...(.......P..*...........l.......8...........T............;...............H...........J..............................................................................eJ......0K......Lw......................T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E48.tmp.WERInternalMetadata.xml

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):8870
                                            Entropy (8bit):3.710513823924976
                                            Encrypted:false
                                            SSDEEP:192:R6l7wVeJj8Az6YEI2vJggmfb4Jprp89bh7zX0fPrm:R6lXJYm6YEpvJggmfb4ShfX0fq
                                            MD5:9757B83B4F4ACFD78CEDDD241F7E7EB8
                                            SHA1:16D19F9E9603B089D9471C3CEF141C5104985A44
                                            SHA-256:D5F7DAD9879BE64CC3390172D3060080E315814798968EE2B52581B98028518E
                                            SHA-512:8BC17F2DB343A45552E463ACA4484B137E40CA29C3DE7D3244B17423E30D009F17936B7848E724920F946EDCC9AEFBB68FE773268A4731FD1CE2787A3F6AC7E1
                                            Malicious:false
                                            Reputation:low
                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.5.2.<./.P.i.

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E97.tmp.xml

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):4829
                                            Entropy (8bit):4.526707889878556
                                            Encrypted:false
                                            SSDEEP:48:cvIwWl8zsdJg771I93cWpW8VYerYm8M4Jwca+F9xyq85cAezy7Mksd:uIjf3I7sV7VhuJwcxx8ezy7Mksd
                                            MD5:06D2CA8728E98DA3D2485D9B57CC9B77
                                            SHA1:BA88062B94021560DF8F7401ACC27217AE371E06
                                            SHA-256:CA2B0889F3A0CCE7EADB5E1FD992EA0635B1BCDE22BD97C456578EC8E7B73033
                                            SHA-512:F7286202888319EFBE4812C797870CAFCFD16B27D289A61C67C61E779FEC0DF382E8803D9B85189A92A4BC5187BAD3B2170D0C8DAB84EBC17FDD8D91D0AF2FA8
                                            Malicious:false
                                            Reputation:low
                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="557338" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1940658735648508
                                            Encrypted:false
                                            SSDEEP:3:NlllulxmH/lZ:NllUg
                                            MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                            SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                            SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                            SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:@...e................................. ..............@..........

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_au4vegts.fju.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tacpqzc0.0qh.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3yzu04u.qpr.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkiufkyt.kek.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Windows\appcompat\Programs\Amcache.hve

                                            Download File
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:MS Windows registry file, NT/2000 or above
                                            Category:dropped
                                            Size (bytes):1835008
                                            Entropy (8bit):4.421777161384939
                                            Encrypted:false
                                            SSDEEP:6144:mSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNk0uhiTwE:FvloTMW+EZMM6DFyG03wE
                                            MD5:6E15C90343EF904CA3EBA274ADA982DF
                                            SHA1:9EF915CA6C82296F0A4EB20F26B44F02A18F7D1E
                                            SHA-256:1A1669AC8F30748D668E0203753A382889C1E126652264A35DF1735748CCCE1D
                                            SHA-512:8E78EA065B03AD352D0E36F1DF351592B61DA5527940DEB5264E10BCE8A18B682C0FF53A5FE47B914B273F5157B57A3EA6BC7BE7A7183C9F89A6BF45812F8FF6
                                            Malicious:false
                                            Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):4.647598464738664
                                            TrID:
                                            • Win64 Executable GUI (202006/5) 92.65%
                                            • Win64 Executable (generic) (12005/4) 5.51%
                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                            • DOS Executable Generic (2002/1) 0.92%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:PO F1298-24 Fabric Order.exe
                                            File size:3'415'639 bytes
                                            MD5:2ce31411b27c3fcdf0bfb5e56a784584
                                            SHA1:5afa11934390d52249dc138853922e64dcfaa528
                                            SHA256:473c91688591c4649ea77e07c95d77ecb87fbb22e060a9e1f4540af522d59ff5
                                            SHA512:0155d7cc5c31df53a8d375746fa0a1cc0bebf24e32fd64d42921afa910f4b7a7d2e721312dab06138d739ac8485dff374f9ba93a8b4e98ab8d8265855b336e94
                                            SSDEEP:12288:hyqgrdm4Vz0RpppppppppppppppppppppppppppppdHq4WJnP4b3rTJzZWoFrKfu:ceVWJnAb7lzZf2P8WhpqLgs0eiPlrXO
                                            TLSH:7AF5F141B5036D27FE58A630D5E2B9F102FE6D6B79F4902FDFA53C462ABA5BE4010432
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...i..g.........."...0.L"............... ....@...... ..............................?.4...`................................

                                            File Icon

                                            Icon Hash:c5b492b6b69c85d1

                                            Static PE Info

                                            General

                                            Entrypoint:0x400000
                                            Entrypoint Section:
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x67190369 [Wed Oct 23 14:08:41 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:

                                            Entrypoint Preview

                                            Instruction
                                            dec ebp
                                            pop edx
                                            nop
                                            add byte ptr [ebx], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax+eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x3806a.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x224c0x240050813b0eef0c35bea61020f17cff13c5False0.5576171875data5.54257814467223IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x60000x3806a0x38200c2bbec77d50653a46ed0d85398a90457False0.30771941119153673data5.194902272133097IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x64740x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.38353658536585367
                                            RT_ICON0x6adc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.48655913978494625
                                            RT_ICON0x6dc40x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.5286885245901639
                                            RT_ICON0x6fac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5878378378378378
                                            RT_ICON0x70d40x6739PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9933017975402081
                                            RT_ICON0xd8100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.5578358208955224
                                            RT_ICON0xe6b80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.6367328519855595
                                            RT_ICON0xef600x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.6497695852534562
                                            RT_ICON0xf6280x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.47760115606936415
                                            RT_ICON0xfb900x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.125
                                            RT_ICON0x203b80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.21113622030691612
                                            RT_ICON0x298600x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.21157894736842106
                                            RT_ICON0x300480x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.24269870609981517
                                            RT_ICON0x354d00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.22325224374114314
                                            RT_ICON0x396f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.3196058091286307
                                            RT_ICON0x3bca00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.3642120075046904
                                            RT_ICON0x3cd480x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.5086065573770492
                                            RT_ICON0x3d6d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5735815602836879
                                            RT_GROUP_ICON0x3db380x102data0.6007751937984496
                                            RT_VERSION0x3dc3c0x244data0.46379310344827585
                                            RT_MANIFEST0x3de800x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 24, 2024 11:56:14.894902945 CEST4970425192.168.2.546.175.148.58
                                            Oct 24, 2024 11:56:15.880306959 CEST4970425192.168.2.546.175.148.58
                                            Oct 24, 2024 11:56:17.974066019 CEST4970425192.168.2.546.175.148.58
                                            Oct 24, 2024 11:56:21.989737034 CEST4970425192.168.2.546.175.148.58
                                            Oct 24, 2024 11:56:30.005357981 CEST4970425192.168.2.546.175.148.58

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 24, 2024 11:56:14.820390940 CEST5021353192.168.2.51.1.1.1
                                            Oct 24, 2024 11:56:14.856646061 CEST53502131.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Oct 24, 2024 11:56:14.820390940 CEST192.168.2.51.1.1.10x8d1fStandard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Oct 24, 2024 11:56:14.856646061 CEST1.1.1.1192.168.2.50x8d1fNo error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:05:56:07
                                            Start date:24/10/2024
                                            Path:C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe"
                                            Imagebase:0x1855a400000
                                            File size:3'415'639 bytes
                                            MD5 hash:2CE31411B27C3FCDF0BFB5E56A784584
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2330596455.000001855C594000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2331410579.000001856CE42000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2331410579.000001856CE42000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:05:56:11
                                            Start date:24/10/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO F1298-24 Fabric Order.exe" -Force
                                            Imagebase:0x7ff7be880000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:05:56:11
                                            Start date:24/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:05:56:11
                                            Start date:24/10/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                            Imagebase:0xc40000
                                            File size:65'440 bytes
                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3351887667.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3345081837.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3345081837.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3351887667.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3351887667.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:5
                                            Start time:05:56:11
                                            Start date:24/10/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                            Imagebase:0xcc0000
                                            File size:65'440 bytes
                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:05:56:11
                                            Start date:24/10/2024
                                            Path:C:\Windows\System32\WerFault.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\WerFault.exe -u -p 2452 -s 1604
                                            Imagebase:0x7ff6e8a40000
                                            File size:570'736 bytes
                                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:11.9%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:19
                                              Total number of Limit Nodes:4
                                              execution_graph 28532 2df0848 28533 2df084e 28532->28533 28534 2df091b 28533->28534 28536 2df1380 28533->28536 28539 2df1396 28536->28539 28537 2df1480 28537->28533 28539->28537 28540 2df7090 28539->28540 28541 2df709a 28540->28541 28542 2df70b4 28541->28542 28545 646cf98 28541->28545 28550 646cf87 28541->28550 28542->28539 28546 646cfad 28545->28546 28547 646d1c2 28546->28547 28548 646d5b8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28546->28548 28549 646d5f0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28546->28549 28547->28542 28548->28546 28549->28546 28552 646cfad 28550->28552 28551 646d1c2 28551->28542 28552->28551 28553 646d5f0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28552->28553 28554 646d5b8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28552->28554 28553->28552 28554->28552

                                              Executed Functions

                                              Function 06460040 Relevance: 8.4, Strings: 6, Instructions: 936COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3377147407.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_6460000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $sq$$sq$$sq$$sq$$sq$$sq
                                              • API String ID: 0-3087168343
                                              • Opcode ID: 6b80a767eb66db9f65fb94f05714023c582d82b5d8e9d3c616d4a4e7c746cd32
                                              • Instruction ID: 6c0903fb5278e3d4f2c1b6c6bcac25b190376e0f79da0364603eda8e9b8be62e
                                              • Opcode Fuzzy Hash: 6b80a767eb66db9f65fb94f05714023c582d82b5d8e9d3c616d4a4e7c746cd32
                                              • Instruction Fuzzy Hash: C0827E30E106198FCB55EF69C594A9DB7B2FF85300F50C6AAE409AB354EB70ED85CB81
                                              Function 06468BA0 Relevance: 8.3, Strings: 6, Instructions: 767COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3377147407.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_6460000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $sq$$sq$$sq$$sq$$sq$$sq
                                              • API String ID: 0-3087168343
                                              • Opcode ID: 505fa544793de69439d64ed1b56c8ebde72a30150fe605e497e03cd70c30f911
                                              • Instruction ID: ac07cbf20c7036c3eca77c4c37f0e40298b8b0cd8a05b931ba46617db762b679
                                              • Opcode Fuzzy Hash: 505fa544793de69439d64ed1b56c8ebde72a30150fe605e497e03cd70c30f911
                                              • Instruction Fuzzy Hash: 1F528E70E1020A8FDF65DBA9D5946AEB7B2FB89310F208827E405DB355CB74DC85CB92
                                              Function 0646BD08 Relevance: 4.3, Strings: 3, Instructions: 573COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 996 646bd08-646bd21 997 646bd23-646bd26 996->997 998 646bd30-646bd33 997->998 999 646bd28-646bd2d 997->999 1000 646bd35 998->1000 1001 646bd43-646bd46 998->1001 999->998 1006 646bd3b-646bd3e 1000->1006 1002 646bd48-646bd64 1001->1002 1003 646bd69-646bd6c 1001->1003 1002->1003 1004 646bf92-646bf9b 1003->1004 1005 646bd72-646bd75 1003->1005 1007 646bd77-646bd80 1004->1007 1009 646bfa1-646bfab 1004->1009 1005->1007 1008 646bd92-646bd94 1005->1008 1006->1001 1011 646bd86-646bd8d 1007->1011 1012 646bfac-646bfe3 1007->1012 1013 646bd96 1008->1013 1014 646bd9b-646bd9e 1008->1014 1011->1008 1019 646bfe5-646bfe8 1012->1019 1013->1014 1014->997 1015 646bda0-646be54 1014->1015 1137 646bf50-646bf74 1015->1137 1138 646be5a-646be65 1015->1138 1020 646c002-646c005 1019->1020 1021 646bfea-646bff0 1019->1021 1024 646c007-646c009 1020->1024 1025 646c00c-646c00f 1020->1025 1022 646bff6-646bffd 1021->1022 1023 646c1df-646c216 1021->1023 1022->1020 1034 646c218-646c21b 1023->1034 1024->1025 1027 646c016-646c019 1025->1027 1028 646c011-646c013 1025->1028 1030 646c104-646c10a 1027->1030 1031 646c01f-646c022 1027->1031 1028->1027 1030->1021 1033 646c110 1030->1033 1035 646c024-646c04a 1031->1035 1036 646c04f-646c052 1031->1036 1037 646c115-646c118 1033->1037 1040 646c21d-646c227 1034->1040 1041 646c228-646c22b 1034->1041 1035->1036 1038 646c054-646c070 1036->1038 1039 646c075-646c078 1036->1039 1043 646c125-646c128 1037->1043 1044 646c11a-646c120 1037->1044 1038->1039 1047 646c07a-646c084 1039->1047 1048 646c089-646c08c 1039->1048 1045 646c24e-646c251 1041->1045 1046 646c22d-646c249 1041->1046 1053 646c151-646c154 1043->1053 1054 646c12a-646c146 1043->1054 1044->1043 1050 646c253-646c26c 1045->1050 1051 646c271-646c274 1045->1051 1046->1045 1047->1048 1056 646c0a4-646c0a7 1048->1056 1057 646c08e-646c09d 1048->1057 1050->1051 1061 646c276-646c284 1051->1061 1062 646c28b-646c28d 1051->1062 1065 646c156-646c15c 1053->1065 1066 646c161-646c164 1053->1066 1060 646c0a9-646c0aa 1054->1060 1097 646c14c 1054->1097 1059 646c0af-646c0b2 1056->1059 1056->1060 1074 646c0b4-646c0b5 1057->1074 1080 646c09f 1057->1080 1059->1074 1075 646c0ba-646c0bd 1059->1075 1060->1059 1086 646c29d-646c2ca 1061->1086 1091 646c286 1061->1091 1076 646c294-646c297 1062->1076 1077 646c28f 1062->1077 1065->1066 1070 646c166-646c180 1066->1070 1071 646c185-646c188 1066->1071 1070->1071 1081 646c1b2-646c1b5 1071->1081 1082 646c18a-646c1ad 1071->1082 1074->1075 1083 646c0d6-646c0d9 1075->1083 1084 646c0bf-646c0d1 1075->1084 1076->1034 1076->1086 1077->1076 1080->1056 1094 646c0f5-646c0f8 1081->1094 1095 646c1bb-646c1bd 1081->1095 1082->1081 1092 646c0f0-646c0f3 1083->1092 1093 646c0db-646c0de 1083->1093 1084->1083 1114 646c2d0-646c2f2 1086->1114 1115 646c459-646c45e 1086->1115 1091->1062 1092->1094 1101 646c0ff-646c102 1092->1101 1093->1023 1100 646c0e4-646c0eb 1093->1100 1094->1093 1096 646c0fa 1094->1096 1102 646c1c4-646c1c7 1095->1102 1103 646c1bf 1095->1103 1096->1101 1097->1053 1100->1092 1101->1030 1101->1037 1102->1019 1105 646c1cd-646c1de 1102->1105 1103->1102 1120 646c463-646c46d 1114->1120 1121 646c2f8-646c301 1114->1121 1115->1120 1121->1115 1122 646c307-646c30f 1121->1122 1124 646c445-646c451 1122->1124 1125 646c315-646c32e 1122->1125 1124->1121 1127 646c457 1124->1127 1131 646c334-646c35b 1125->1131 1132 646c43b-646c440 1125->1132 1127->1120 1131->1132 1141 646c361-646c389 1131->1141 1132->1124 1146 646bf76 1137->1146 1147 646bf7e 1137->1147 1144 646be67-646be6d 1138->1144 1145 646be7d-646bf4a call 6463f00 1138->1145 1141->1132 1156 646c38f-646c3a9 1141->1156 1149 646be71-646be73 1144->1149 1150 646be6f 1144->1150 1145->1137 1145->1138 1146->1147 1152 646bf7f 1147->1152 1149->1145 1150->1145 1152->1152 1156->1132 1159 646c3af-646c3cb 1156->1159 1159->1132 1164 646c3cd-646c3ec 1159->1164 1164->1132 1170 646c3ee-646c439 call 6463f00 1164->1170 1170->1124
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3377147407.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_6460000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 0oVp$DqVp$PHsq
                                              • API String ID: 0-843718501
                                              • Opcode ID: 8d9af6a68713841ceddd4b699b952ac0d828c7d5e66d569547e346bab513ef93
                                              • Instruction ID: e509348c1bd26605ca0beb642516c1cf143b2ffedbcf7c668a2982c9cd64070c
                                              • Opcode Fuzzy Hash: 8d9af6a68713841ceddd4b699b952ac0d828c7d5e66d569547e346bab513ef93
                                              • Instruction Fuzzy Hash: 2A22B170B101058FCB55DB69D894AAEB7F2FF89310F20896AE406DB361DB75EC41CB92
                                              Function 02DF9B38 Relevance: 3.1, Instructions: 3065COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d87fee1d4fba6e0708781e17eecefe124e2e2aeb7abd40b13d42ec5f1833a51
                                              • Instruction ID: 1808deca5a616d856f03d5911d53bb60a423f0e19d0400d2c048a5a66ac2f92e
                                              • Opcode Fuzzy Hash: 4d87fee1d4fba6e0708781e17eecefe124e2e2aeb7abd40b13d42ec5f1833a51
                                              • Instruction Fuzzy Hash: 41630C31D10B198ACB51EF68C8806A9F7B1FF99300F51D79AE45877221EB70AAD5CF81
                                              Function 064656E0 Relevance: 3.0, Strings: 2, Instructions: 471COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1947 64656e0-64656fe 1948 6465700-6465703 1947->1948 1949 6465705-6465713 1948->1949 1950 646571a-646571d 1948->1950 1958 6465786-646579c 1949->1958 1959 6465715 1949->1959 1951 646571f-6465729 1950->1951 1952 646572a-646572d 1950->1952 1953 646574e-6465751 1952->1953 1954 646572f-6465749 1952->1954 1956 6465774-6465776 1953->1956 1957 6465753-646576f 1953->1957 1954->1953 1960 646577d-6465780 1956->1960 1961 6465778 1956->1961 1957->1956 1965 64659b7-64659c1 1958->1965 1966 64657a2-64657ab 1958->1966 1959->1950 1960->1948 1960->1958 1961->1960 1969 64659c2-64659f7 1966->1969 1970 64657b1-64657ce 1966->1970 1973 64659f9-64659fc 1969->1973 1979 64659a4-64659b1 1970->1979 1980 64657d4-64657fc 1970->1980 1974 6465a02-6465a0e 1973->1974 1975 6465aa9-6465aac 1973->1975 1981 6465a19-6465a1b 1974->1981 1977 6465aae-6465aca 1975->1977 1978 6465acf-6465ad2 1975->1978 1977->1978 1982 6465d07-6465d09 1978->1982 1983 6465ad8-6465ae7 1978->1983 1979->1965 1979->1966 1980->1979 2001 6465802-646580b 1980->2001 1985 6465a33-6465a37 1981->1985 1986 6465a1d-6465a23 1981->1986 1988 6465d10-6465d13 1982->1988 1989 6465d0b 1982->1989 1996 6465b06-6465b4a 1983->1996 1997 6465ae9-6465b04 1983->1997 1994 6465a45 1985->1994 1995 6465a39-6465a43 1985->1995 1992 6465a27-6465a29 1986->1992 1993 6465a25 1986->1993 1988->1973 1991 6465d19-6465d22 1988->1991 1989->1988 1992->1985 1993->1985 1999 6465a4a-6465a4c 1994->1999 1995->1999 2007 6465b50-6465b61 1996->2007 2008 6465cdb-6465cf0 1996->2008 1997->1996 2002 6465a63-6465a9c 1999->2002 2003 6465a4e-6465a51 1999->2003 2001->1969 2005 6465811-646582d 2001->2005 2002->1983 2027 6465a9e-6465aa8 2002->2027 2003->1991 2014 6465992-646599e 2005->2014 2015 6465833-646585d call 6461ae0 2005->2015 2017 6465cc6-6465cd5 2007->2017 2018 6465b67-6465b84 2007->2018 2008->1982 2014->1979 2014->2001 2030 6465863-646588b 2015->2030 2031 6465988-646598d 2015->2031 2017->2007 2017->2008 2018->2017 2028 6465b8a-6465c80 call 6463f00 2018->2028 2080 6465c82-6465c8c 2028->2080 2081 6465c8e 2028->2081 2030->2031 2037 6465891-64658bf 2030->2037 2031->2014 2037->2031 2043 64658c5-64658ce 2037->2043 2043->2031 2044 64658d4-6465906 2043->2044 2052 6465911-646592d 2044->2052 2053 6465908-646590c 2044->2053 2052->2014 2055 646592f-6465986 call 6463f00 2052->2055 2053->2031 2054 646590e 2053->2054 2054->2052 2055->2014 2082 6465c93-6465c95 2080->2082 2081->2082 2082->2017 2083 6465c97-6465c9c 2082->2083 2084 6465c9e-6465ca8 2083->2084 2085 6465caa 2083->2085 2086 6465caf-6465cb1 2084->2086 2085->2086 2086->2017 2087 6465cb3-6465cbf 2086->2087 2087->2017
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3377147407.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_6460000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $sq$$sq
                                              • API String ID: 0-1184984226
                                              • Opcode ID: da90a46f1131e401ec2ca74d277a35fb88a1f3ca1745d4b5036e549e1d8ea0d7
                                              • Instruction ID: 47864e2fdf8ec58fe5e22df56e3e075ac96ebd3fd4f6be07ad7de4a50490b627
                                              • Opcode Fuzzy Hash: da90a46f1131e401ec2ca74d277a35fb88a1f3ca1745d4b5036e549e1d8ea0d7
                                              • Instruction Fuzzy Hash: 0202BE70B002058FCF59EB69D594AAEB7B2FF84314F14892AE406DB354DB35EC86CB91
                                              Function 0646DD18 Relevance: 2.8, Strings: 2, Instructions: 332COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2221 646dd18-646dd2a 2222 646dd8e-646dd95 2221->2222 2223 646dd2c-646dd62 call 646d590 call 646d3c4 2221->2223 2231 646dd69-646dd6b 2223->2231 2232 646dd96-646ddfd 2231->2232 2233 646dd6d-646dd86 2231->2233 2243 646de06-646de16 2232->2243 2244 646ddff-646de01 2232->2244 2233->2222 2246 646de1d-646de2d 2243->2246 2247 646de18 2243->2247 2245 646e0a5-646e0ac 2244->2245 2249 646de33-646de41 2246->2249 2250 646e08c-646e09a 2246->2250 2247->2245 2253 646de47 2249->2253 2254 646e0ad-646e126 2249->2254 2250->2254 2255 646e09c-646e0a0 call 6461ae0 2250->2255 2253->2254 2257 646dfe6-646e00c 2253->2257 2258 646df24-646df45 2253->2258 2259 646dfa4-646dfe1 2253->2259 2260 646de65-646de86 2253->2260 2261 646e080-646e08a 2253->2261 2262 646de4e-646de60 2253->2262 2263 646df4a-646df72 2253->2263 2264 646de8b-646dead 2253->2264 2265 646df77-646df9f 2253->2265 2266 646deb2-646ded3 2253->2266 2267 646e011-646e03d 2253->2267 2268 646defe-646df1f 2253->2268 2269 646e03f-646e05a 2253->2269 2270 646e05c-646e07e 2253->2270 2271 646ded8-646def9 2253->2271 2255->2245 2257->2245 2258->2245 2259->2245 2260->2245 2261->2245 2262->2245 2263->2245 2264->2245 2265->2245 2266->2245 2267->2245 2268->2245 2269->2245 2270->2245 2271->2245
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3377147407.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_6460000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Xwq$$sq
                                              • API String ID: 0-2558833440
                                              • Opcode ID: 801ced2b033aa84b9f6a800e05217767e63d9b290702923f991c57053bc4bd1f
                                              • Instruction ID: ab45bbbc82f4f26181bc043ff8f3c6808f9cafd12208280cd540c5fbaa8143a2
                                              • Opcode Fuzzy Hash: 801ced2b033aa84b9f6a800e05217767e63d9b290702923f991c57053bc4bd1f
                                              • Instruction Fuzzy Hash: DCB1B278B042188FDB58AB79885467EBBE7BFC8300B15842EE506D7388DE359C029792
                                              Function 02DFCDB0 Relevance: 2.3, Instructions: 2309COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d1e6f6cca341178a200eef24e32a2bcb5c5670772ae1525fccd4ece7d4de936
                                              • Instruction ID: d01062c121ae21dd4eb9c25f9d20c2f89ad8aee9573102f932c010700536b18f
                                              • Opcode Fuzzy Hash: 0d1e6f6cca341178a200eef24e32a2bcb5c5670772ae1525fccd4ece7d4de936
                                              • Instruction Fuzzy Hash: 6D331B31D107198ECB11EF68C8846ADF7B1FF99300F15D79AE558A7221EB70AAC5CB81
                                              Function 06462B00 Relevance: 1.8, Strings: 1, Instructions: 589COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2874 6462b00-6462b1d 2875 6462b1f-6462b22 2874->2875 2876 6462b24-6462b43 2875->2876 2877 6462b48-6462b4b 2875->2877 2876->2877 2878 6462b65-6462b68 2877->2878 2879 6462b4d-6462b57 2877->2879 2881 6462b6f-6462b72 2878->2881 2882 6462b6a-6462b6c 2878->2882 2883 6462b5e-6462b60 2879->2883 2884 6462b74-6462b78 2881->2884 2885 6462b83-6462b86 2881->2885 2882->2881 2883->2878 2886 6462b7e 2884->2886 2887 6462cc9-6462cd6 2884->2887 2888 6462b94-6462b97 2885->2888 2889 6462b88-6462b8f 2885->2889 2886->2885 2891 6462b9f-6462ba2 2888->2891 2892 6462b99-6462b9a 2888->2892 2889->2888 2893 6462ba4-6462baa 2891->2893 2894 6462bda-6462bdd 2891->2894 2892->2891 2895 6462cd7-6462d03 2893->2895 2896 6462bb0-6462bb8 2893->2896 2897 6462bf1-6462bf4 2894->2897 2898 6462bdf-6462bec 2894->2898 2907 6462d0d-6462d10 2895->2907 2896->2895 2899 6462bbe-6462bcb 2896->2899 2900 6462bf6-6462c08 2897->2900 2901 6462c0d-6462c10 2897->2901 2898->2897 2899->2895 2904 6462bd1-6462bd5 2899->2904 2900->2901 2902 6462c26-6462c29 2901->2902 2903 6462c12-6462c21 2901->2903 2909 6462c46-6462c49 2902->2909 2910 6462c2b-6462c41 2902->2910 2903->2902 2904->2894 2914 6462d32-6462d35 2907->2914 2915 6462d12-6462d16 2907->2915 2912 6462c55-6462c58 2909->2912 2913 6462c4b-6462c54 2909->2913 2910->2909 2919 6462c71-6462c77 2912->2919 2920 6462c5a-6462c5d 2912->2920 2916 6462d57-6462d5a 2914->2916 2917 6462d37-6462d3b 2914->2917 2921 6462d1c-6462d24 2915->2921 2922 6462dfa-6462e34 2915->2922 2925 6462d5c-6462d66 2916->2925 2926 6462d6b-6462d6e 2916->2926 2917->2922 2924 6462d41-6462d49 2917->2924 2919->2879 2923 6462c7d 2919->2923 2927 6462c5f-6462c65 2920->2927 2928 6462c6c-6462c6f 2920->2928 2921->2922 2929 6462d2a-6462d2d 2921->2929 2940 6462e36-6462e39 2922->2940 2930 6462c82-6462c85 2923->2930 2924->2922 2931 6462d4f-6462d52 2924->2931 2925->2926 2933 6462d70-6462d77 2926->2933 2934 6462d78-6462d7b 2926->2934 2935 6462c87-6462c8a 2927->2935 2936 6462c67 2927->2936 2928->2919 2928->2930 2929->2914 2930->2935 2939 6462c8f-6462c92 2930->2939 2931->2916 2937 6462d93-6462d96 2934->2937 2938 6462d7d-6462d8e 2934->2938 2935->2939 2936->2928 2942 6462da6-6462da9 2937->2942 2943 6462d98-6462d9f 2937->2943 2938->2937 2944 6462c94-6462c9a 2939->2944 2945 6462ca5-6462ca8 2939->2945 2946 6462e47-6462e4a 2940->2946 2947 6462e3b-6462e42 2940->2947 2952 6462dc3-6462dc6 2942->2952 2953 6462dab-6462daf 2942->2953 2949 6462df2-6462df9 2943->2949 2950 6462da1 2943->2950 2944->2893 2951 6462ca0 2944->2951 2954 6462cb2-6462cb5 2945->2954 2955 6462caa-6462cad 2945->2955 2956 6462e4c-6462e5d 2946->2956 2957 6462e68-6462e6b 2946->2957 2947->2946 2950->2942 2951->2945 2960 6462de0-6462de2 2952->2960 2961 6462dc8-6462dcc 2952->2961 2953->2922 2958 6462db1-6462db9 2953->2958 2954->2944 2959 6462cb7-6462cb9 2954->2959 2955->2954 2975 6462e63 2956->2975 2976 6463201-6463214 2956->2976 2962 6462e75-6462e78 2957->2962 2963 6462e6d-6462e72 2957->2963 2958->2922 2964 6462dbb-6462dbe 2958->2964 2965 6462cc0-6462cc3 2959->2965 2966 6462cbb 2959->2966 2969 6462de4 2960->2969 2970 6462de9-6462dec 2960->2970 2961->2922 2968 6462dce-6462dd6 2961->2968 2971 6462e92-6462e95 2962->2971 2972 6462e7a-6462e8b 2962->2972 2963->2962 2964->2952 2965->2875 2965->2887 2966->2965 2968->2922 2977 6462dd8-6462ddb 2968->2977 2969->2970 2970->2907 2970->2949 2973 6462e97-6462e9a 2971->2973 2974 6462ece-6463062 2971->2974 2980 6462e9c-6462ead 2972->2980 2981 6462e8d 2972->2981 2979 6462eb4-6462eb7 2973->2979 2973->2980 3023 646319b-64631ae 2974->3023 3024 6463068-646306f 2974->3024 2975->2957 2977->2960 2983 6462ec5-6462ec8 2979->2983 2984 6462eb9-6462ec0 2979->2984 2980->2947 2989 6462eaf 2980->2989 2981->2971 2983->2974 2987 64631b1-64631b4 2983->2987 2984->2983 2987->2974 2990 64631ba-64631bd 2987->2990 2989->2979 2991 64631bf-64631d0 2990->2991 2992 64631db-64631de 2990->2992 2991->2947 3002 64631d6 2991->3002 2994 64631e0-64631f1 2992->2994 2995 64631fc-64631ff 2992->2995 2994->2947 3003 64631f7 2994->3003 2995->2976 2996 6463217-6463219 2995->2996 3000 6463220-6463223 2996->3000 3001 646321b 2996->3001 3000->2940 3004 6463229-6463232 3000->3004 3001->3000 3002->2992 3003->2995 3025 6463075-6463098 3024->3025 3026 6463123-646312a 3024->3026 3035 64630a0-64630a8 3025->3035 3026->3023 3027 646312c-646315f 3026->3027 3039 6463164-6463191 3027->3039 3040 6463161 3027->3040 3036 64630ad-64630ee 3035->3036 3037 64630aa 3035->3037 3048 6463106-6463117 3036->3048 3049 64630f0-6463101 3036->3049 3037->3036 3039->3004 3040->3039 3048->3004 3049->3004
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3377147407.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_6460000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $
                                              • API String ID: 0-3993045852
                                              • Opcode ID: 6c4ad5660d6e319d4826aa17da58f1382386be5894b7e66bb1202191418a01bc
                                              • Instruction ID: c05d9fcd140f734e34729b9af4168090c621a53228f180bdc67f172e73a26f4b
                                              • Opcode Fuzzy Hash: 6c4ad5660d6e319d4826aa17da58f1382386be5894b7e66bb1202191418a01bc
                                              • Instruction Fuzzy Hash: 9722D071F002159BDF65DFA5C8806AFBBB2FF89310F20846AE406AB344DA75DD46CB91
                                              Function 06463F50 Relevance: .8, Instructions: 811COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3377147407.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_6460000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1b9421307de1ea990916e5a139d1612d93fc3b1127ee970c60a10a2973d7131f
                                              • Instruction ID: 3752e6aa623ed6304ab5137d9f8cbac7f39feb5c80829519fbf4b29a23ab7437
                                              • Opcode Fuzzy Hash: 1b9421307de1ea990916e5a139d1612d93fc3b1127ee970c60a10a2973d7131f
                                              • Instruction Fuzzy Hash: DA627C34B002058FDF55EB69D594AAEB7F2EF88314F14846AE406EB394DB35EC46CB81
                                              Function 06469AE8 Relevance: .6, Instructions: 647COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3377147407.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_6460000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 974b5ab7722f7c956ed7c7a746a671dedaffaa588269a48afb968cb71064d4fc
                                              • Instruction ID: 889efb64a4641d16817df1aedf18ba91a87f8b809b45f3e0c981504820977a06
                                              • Opcode Fuzzy Hash: 974b5ab7722f7c956ed7c7a746a671dedaffaa588269a48afb968cb71064d4fc
                                              • Instruction Fuzzy Hash: DD329430B011098FDF55EF69D994BAEB7B2FB89310F10852AE406EB355DB30DC468B92
                                              Function 02DF9378 Relevance: .6, Instructions: 617COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ad66b7c9fb1f58040b72e65634dad44e6a55cfc39b5661e2884fa84c1f524a7e
                                              • Instruction ID: 0c31f8b3d7ce22cc0d8260518e698dec07895d379360e4091743412befbb7724
                                              • Opcode Fuzzy Hash: ad66b7c9fb1f58040b72e65634dad44e6a55cfc39b5661e2884fa84c1f524a7e
                                              • Instruction Fuzzy Hash: AB329C75E002048FDB54DF68D894BAEBBB2EF88314F258469E909EB394DB30DC45CB94
                                              Function 02DF4A98 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dfec8d6197ee1a55af1e98150e73546ea28ffe9745827c41d6f9757bbbd3d56c
                                              • Instruction ID: aa03c307774d9dde92070c6a3f79d62dad780e8e93741db07f274bb31a167bd4
                                              • Opcode Fuzzy Hash: dfec8d6197ee1a55af1e98150e73546ea28ffe9745827c41d6f9757bbbd3d56c
                                              • Instruction Fuzzy Hash: 0DB18F71E002098FDB50CFA9C98579EBBF2AF88314F158129DA15EB354EB349C85CB85
                                              Function 02DF3E80 Relevance: .2, Instructions: 238COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b3eea267a3b41a635936a9e75702b1a1a136c809ea2590ff027c4dee9537851
                                              • Instruction ID: 737584947cf01d679f2e178f339e4e37162c93e629623a3e9c351e8e4217cd16
                                              • Opcode Fuzzy Hash: 3b3eea267a3b41a635936a9e75702b1a1a136c809ea2590ff027c4dee9537851
                                              • Instruction Fuzzy Hash: 02918E70E002499FDF50CFA8C98579EBBF2AF88314F168129E615E7394EB749C45CB85
                                              Function 02DF6ED8 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2389 2df6ed8-2df6f42 call 2df6c40 2398 2df6f5e-2df6f8c 2389->2398 2399 2df6f44-2df6f5d call 2df638c 2389->2399 2405 2df6f8e-2df6f91 2398->2405 2406 2df6fcd-2df6fd0 2405->2406 2407 2df6f93-2df6fc8 2405->2407 2408 2df6fd2 2406->2408 2409 2df6fe0-2df6fe3 2406->2409 2407->2406 2433 2df6fd2 call 2df7918 2408->2433 2434 2df6fd2 call 2df7908 2408->2434 2435 2df6fd2 call 2df80f1 2408->2435 2410 2df7016-2df7019 2409->2410 2411 2df6fe5-2df6ff9 2409->2411 2413 2df702d-2df702f 2410->2413 2414 2df701b-2df7022 2410->2414 2421 2df6fff 2411->2421 2422 2df6ffb-2df6ffd 2411->2422 2412 2df6fd8-2df6fdb 2412->2409 2418 2df7036-2df7039 2413->2418 2419 2df7031 2413->2419 2416 2df70eb-2df70f1 2414->2416 2417 2df7028 2414->2417 2417->2413 2418->2405 2420 2df703f-2df704e 2418->2420 2419->2418 2425 2df7078-2df708e 2420->2425 2426 2df7050-2df7053 2420->2426 2423 2df7002-2df7011 2421->2423 2422->2423 2423->2410 2425->2416 2429 2df705b-2df7076 2426->2429 2429->2425 2429->2426 2433->2412 2434->2412 2435->2412
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRsq$LRsq
                                              • API String ID: 0-2113534932
                                              • Opcode ID: 3446162b4e1e2e22ae1642d47aafb1b0669952429df565428033295cd2464204
                                              • Instruction ID: 25e86bb0326bf107ee6692c1f1f5f1803c79fe3f32bc63b4f3521e0744789d2f
                                              • Opcode Fuzzy Hash: 3446162b4e1e2e22ae1642d47aafb1b0669952429df565428033295cd2464204
                                              • Instruction Fuzzy Hash: B441F571A002159FDB19DB78C4507EEBBB6EF89300F21842AE911EB781EB75DC46CB94
                                              Function 0646E1B0 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3052 646e1b0-646e1bb 3053 646e1e5-646e204 call 646d5ac 3052->3053 3054 646e1bd-646e1e4 call 646d5a0 3052->3054 3060 646e206-646e209 3053->3060 3061 646e20a-646e25a 3053->3061 3066 646e25c-646e269 3061->3066 3067 646e2c9-646e2fc GlobalMemoryStatusEx 3061->3067 3072 646e26f-646e27f 3066->3072 3073 646e26b-646e26e 3066->3073 3070 646e305-646e32d 3067->3070 3071 646e2fe-646e304 3067->3071 3071->3070 3072->3067
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3377147407.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_6460000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cb70535a978946779800f7a9af925540448de9bf37db91886f5d1da695ae0492
                                              • Instruction ID: f1088249810e3bbba02e4aadc0021779d64411eeb42292208e58124a04c13755
                                              • Opcode Fuzzy Hash: cb70535a978946779800f7a9af925540448de9bf37db91886f5d1da695ae0492
                                              • Instruction Fuzzy Hash: 45317A72E053924FCB119B7AD8146DEBFF1AF85210F1485ABE404DB241DB789885C7D1
                                              Function 0646E280 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3077 646e280-646e284 3078 646e286-646e2c6 3077->3078 3079 646e24d-646e269 3077->3079 3080 646e2c9 3078->3080 3086 646e26f-646e27f 3079->3086 3087 646e26b-646e26e 3079->3087 3083 646e2ce-646e2fc GlobalMemoryStatusEx 3080->3083 3084 646e305-646e32d 3083->3084 3085 646e2fe-646e304 3083->3085 3085->3084 3086->3080
                                              APIs
                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0646E202), ref: 0646E2EF
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3377147407.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_6460000_RegAsm.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: dfed42ebb578929c0d6e8b68ee6027f7f0888affb473b7cd6deeaa76c5df05bc
                                              • Instruction ID: 6eaf40c72aff8fa6d6a366c53aaec3d8ab081dd9e86367c42d440671420deae4
                                              • Opcode Fuzzy Hash: dfed42ebb578929c0d6e8b68ee6027f7f0888affb473b7cd6deeaa76c5df05bc
                                              • Instruction Fuzzy Hash: A52157B5C0021ADBDB10CFAAC544BDEBBF5AF48320F25855AE818A7740D77899408FA1
                                              Function 0646D5AC Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3091 646d5ac-646e2fc GlobalMemoryStatusEx 3095 646e305-646e32d 3091->3095 3096 646e2fe-646e304 3091->3096 3096->3095
                                              APIs
                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0646E202), ref: 0646E2EF
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3377147407.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_6460000_RegAsm.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 65e815f19a053fa2e70b02ee6a06b62941d9cf6bf891c22eeb3794f0f1f79750
                                              • Instruction ID: 7c7d0692ae23e90197f53e8de56df0d25e2c1006dfb0902a610867bb2ab3b758
                                              • Opcode Fuzzy Hash: 65e815f19a053fa2e70b02ee6a06b62941d9cf6bf891c22eeb3794f0f1f79750
                                              • Instruction Fuzzy Hash: 991103B5C0465A9BDB10CF9AC544BEEFBF4AF48320F14816AE918B7240D378A944CFE1
                                              Function 02DFF2ED Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHsq
                                              • API String ID: 0-3083888473
                                              • Opcode ID: 284163cfb91ee9ae396a44836a5cd9e687c54a46533bcc3aadd99580d750141e
                                              • Instruction ID: f431061c0895ef348a2b1c938f13f190600b7a9762ec1beefb4acc9658f59867
                                              • Opcode Fuzzy Hash: 284163cfb91ee9ae396a44836a5cd9e687c54a46533bcc3aadd99580d750141e
                                              • Instruction Fuzzy Hash: 1D310131B002058FCB59AB34D5947AE7BE3EB89200F154869D502DB385EF39DC46C795
                                              Function 02DFF300 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHsq
                                              • API String ID: 0-3083888473
                                              • Opcode ID: 1a2397ed04bfc320d0e1102e69b0f7ba9acc014ee23a3383cab67ce41220bdf8
                                              • Instruction ID: 8e06e9cf6230808b9c8cae419eb562a9f7b866ab8defc55b0e5dc302f0d1a998
                                              • Opcode Fuzzy Hash: 1a2397ed04bfc320d0e1102e69b0f7ba9acc014ee23a3383cab67ce41220bdf8
                                              • Instruction Fuzzy Hash: 3431D031B002098FCB59AB38D55466E7BE7BF89200F154868D506DB389EF35DC45CB99
                                              Function 02DF6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRsq
                                              • API String ID: 0-3165563352
                                              • Opcode ID: ae508d534dc0dac0c37764c8a3aa63b887cb60babcb3b862eb25e29eb569031f
                                              • Instruction ID: ca337a9ff51e8c41cb874322622b1b39ba4aee5923e758fff76fd39903c0ad4c
                                              • Opcode Fuzzy Hash: ae508d534dc0dac0c37764c8a3aa63b887cb60babcb3b862eb25e29eb569031f
                                              • Instruction Fuzzy Hash: 56316B71E002099BEB58CF65D440BDEF7B2EF89310F218526E912EB740EB719D45CB54
                                              Function 02DF6B87 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRsq
                                              • API String ID: 0-3165563352
                                              • Opcode ID: c66eee6658197f4b1fa2de8950320e7a48393c969fc52a9df42be592f91a71dc
                                              • Instruction ID: d703d5815a5b50f1156ce91bbd9be23babe6d016e8eb341e8d435eef619e9529
                                              • Opcode Fuzzy Hash: c66eee6658197f4b1fa2de8950320e7a48393c969fc52a9df42be592f91a71dc
                                              • Instruction Fuzzy Hash: 941129B27082514FC705A7B8D4A53AE7FB2EF8A314F14846FC996CB741DE789842C791
                                              Function 02DF7908 Relevance: .6, Instructions: 553COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 55492766676b78bff9348c80476b075cc9a4a35603656a99e43ef7d76f5aaece
                                              • Instruction ID: 3a629f859b4fd8a48dc367f1c1af603bee26ebe13ccfaca2362114c2ea3e932b
                                              • Opcode Fuzzy Hash: 55492766676b78bff9348c80476b075cc9a4a35603656a99e43ef7d76f5aaece
                                              • Instruction Fuzzy Hash: F0125D307002029BDB59AB38E494B6CB7A2FB89314F618D39E506CB345CF79DC86DB95
                                              Function 02DF7918 Relevance: .6, Instructions: 550COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5b6a8fc2e3ab451a0aa2b33e81676053e0acfe6782054f5227fac28dfe6c57ae
                                              • Instruction ID: c0a5d8cbe6626c9b6263938562bbd3cc451a016e0d7a1d65cee1ef9fab6da76e
                                              • Opcode Fuzzy Hash: 5b6a8fc2e3ab451a0aa2b33e81676053e0acfe6782054f5227fac28dfe6c57ae
                                              • Instruction Fuzzy Hash: 1A126D307002069BDB59AB38E494B6CB7A2FB89314F618D2DE506CB345CF75DC82CB95
                                              Function 02DF4A8E Relevance: .3, Instructions: 259COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c702ebfbf84adf514ab6394ebf6873a84d7b7c112a125b206ab48ffd9f1752d8
                                              • Instruction ID: c217d3cf2c3133364c508f1f4f924eb16f0e0877ee44654b23bb5bb896fa0b66
                                              • Opcode Fuzzy Hash: c702ebfbf84adf514ab6394ebf6873a84d7b7c112a125b206ab48ffd9f1752d8
                                              • Instruction Fuzzy Hash: 5EA17E71E00209CFDB50CFA8D9857DEBBF1AF88314F158129EA18EB354EB749885CB95
                                              Function 02DF9364 Relevance: .2, Instructions: 240COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 38001b1c553b2de0148c21b75247cc7b9cead7e91ef44560e2b4e3e3dddbc83e
                                              • Instruction ID: 427288ad8e5059cab1d7cf4a8143dd52084403ce3dda53879e215e4e12d054ef
                                              • Opcode Fuzzy Hash: 38001b1c553b2de0148c21b75247cc7b9cead7e91ef44560e2b4e3e3dddbc83e
                                              • Instruction Fuzzy Hash: 64917D74A002049FCB58DF68D494BADBBF2EF88314F158429E906EB364DB35DC46CB54
                                              Function 02DF3E74 Relevance: .2, Instructions: 234COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 10b6b0ea8dcf841ab05f5a045c8b4e515e6577e69b74e2a812a3df2e95b73ba6
                                              • Instruction ID: bf345c4a3e8dc4c104a72d2febdc888da175074899c077f42618c0941bdc6395
                                              • Opcode Fuzzy Hash: 10b6b0ea8dcf841ab05f5a045c8b4e515e6577e69b74e2a812a3df2e95b73ba6
                                              • Instruction Fuzzy Hash: 5A918E70E00249DFDB90CFA8C9857DEBBF2AF48314F168129E615E7394EB349885CB95
                                              Function 02DF4810 Relevance: .2, Instructions: 180COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ebb534f7cc5407b77e369692bcb9382b594dfb8aa380ffb5f2fb4495510dc69a
                                              • Instruction ID: 04f962e0c17547988dd2d7fa18dc6a2a812d0dfc6c038aea915d63803aa5e27a
                                              • Opcode Fuzzy Hash: ebb534f7cc5407b77e369692bcb9382b594dfb8aa380ffb5f2fb4495510dc69a
                                              • Instruction Fuzzy Hash: 56717AB0E04249CFDB54CFA9C98579EBBF2BF88314F158129EA15A7354EB349841CB98
                                              Function 02DF4804 Relevance: .2, Instructions: 179COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 35b02711598c91c83c089afed9c64529dac080a3c74cea966f77fa3a388140fc
                                              • Instruction ID: 2ccf1069fc8a99efc0a145f039ca5d86bb308b8e9da8f824f59e99d3618ab825
                                              • Opcode Fuzzy Hash: 35b02711598c91c83c089afed9c64529dac080a3c74cea966f77fa3a388140fc
                                              • Instruction Fuzzy Hash: 417169B0E00249CFDB50CFA9C98579EBBF2BF48318F158129EA15A7354EB349845CB99
                                              Function 02DF6CDC Relevance: .1, Instructions: 141COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59efaf6585c94028cde4c5b76a2f4bd39714cb8fb5ebb745a6977a91b7c4f330
                                              • Instruction ID: 5426d2dea2e0648c4df0e55fa78ad81254e4c941f5778dca04c376bba8b3fa70
                                              • Opcode Fuzzy Hash: 59efaf6585c94028cde4c5b76a2f4bd39714cb8fb5ebb745a6977a91b7c4f330
                                              • Instruction Fuzzy Hash: 345144B2D002188FDB58CFAAC884BDDBBB5FF48314F158129E825AB754DB74A844CF94
                                              Function 02DF6CE8 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b13905951314da3644b6f71e7460e93fb9e76f01a57e7f06b312f6b9637e5909
                                              • Instruction ID: 33723f9e4a97019b66967dcec6870d009da0501435fbcde7c1192d08f9ae2021
                                              • Opcode Fuzzy Hash: b13905951314da3644b6f71e7460e93fb9e76f01a57e7f06b312f6b9637e5909
                                              • Instruction Fuzzy Hash: F55136B2D002188FDB58CFA9C884BDDBBB5BF48314F158129E825BB755DB74A844CF98
                                              Function 02DF1128 Relevance: .1, Instructions: 125COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d5d1b302aac0b445361f183d6d26c700418a4d42559530cda40b07d0abd59920
                                              • Instruction ID: f3ec432099c33477de3c153d58523db3b2a6cec550d3d53260115e7c5a413d79
                                              • Opcode Fuzzy Hash: d5d1b302aac0b445361f183d6d26c700418a4d42559530cda40b07d0abd59920
                                              • Instruction Fuzzy Hash: 6D51207124224EEFD74AFB28F8E19643F75FB52304B049D79D0049B23EDA306949EB85
                                              Function 02DF1138 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d4e9ef367cb529c1cec5ed9c0c1b1951a9d282eee27138b2585917137c5e0c47
                                              • Instruction ID: 59643b3b4496d30d2473cab17e0fa5971838413471bddf100bf7b4d800094c19
                                              • Opcode Fuzzy Hash: d4e9ef367cb529c1cec5ed9c0c1b1951a9d282eee27138b2585917137c5e0c47
                                              • Instruction Fuzzy Hash: B951EF7124224EEFC74AFB28F9E19543F66F752304B049D79E0049B23EDA706949EB85
                                              Function 02DFF1B0 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 95b82141fffc851d0db1b0ccd68966ce65aec781a50afe2120aa81e6333b6d51
                                              • Instruction ID: 75c5b632503062ee060ea21adf935ca1683d4ac546e37e44a404323787dd06d2
                                              • Opcode Fuzzy Hash: 95b82141fffc851d0db1b0ccd68966ce65aec781a50afe2120aa81e6333b6d51
                                              • Instruction Fuzzy Hash: E9314F35E002099BDB18DFA4D894B9EB7B2FF89310F50C919E906E7790DB71AC46CB94
                                              Function 02DF26DC Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4b7f363ee0f1f44ff4010d00aadb2ed3fc7856a6e331789913b4d2842e54dca4
                                              • Instruction ID: c01208c37cb9dda6bd77d503d3aa80bb50c55b6d8254eaab5daa0b11707a78e7
                                              • Opcode Fuzzy Hash: 4b7f363ee0f1f44ff4010d00aadb2ed3fc7856a6e331789913b4d2842e54dca4
                                              • Instruction Fuzzy Hash: 5441FFB0900349DFDB10CFA9C984ADEBFF5AF48314F148429E819AB350DB75A949CB90
                                              Function 02DFF1C0 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 077a2a4576deacc0f0d48daa08b09fd64ebfe754f64ef248000e314af1ccceb7
                                              • Instruction ID: e74fe2031f552f343a2056ccdde602077ceff02b5fbffacec5c90db955c106f1
                                              • Opcode Fuzzy Hash: 077a2a4576deacc0f0d48daa08b09fd64ebfe754f64ef248000e314af1ccceb7
                                              • Instruction Fuzzy Hash: FB314D35E102099FDF19DFA4D494A9EB7B2BF89310F10C929E906E7790DB71AC42CB94
                                              Function 02DF26E8 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e81fec82aed16fbbb22b3de36af54688aeb91500e4a3901f5488c5b764653e31
                                              • Instruction ID: 22d1c6cd15ae7499c4fafae8c4ecaa07d3b08b79e52ca4ec2850aa1c57310842
                                              • Opcode Fuzzy Hash: e81fec82aed16fbbb22b3de36af54688aeb91500e4a3901f5488c5b764653e31
                                              • Instruction Fuzzy Hash: A641EEB0D00349DFDB10CFA9C984ADEBFB5EF48314F248429E809AB354DB75A949CB90
                                              Function 02DF9250 Relevance: .1, Instructions: 83COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d029cfdf909b41df1ff79aa18a0573e72421ac053232913b44271df8a76549b4
                                              • Instruction ID: cfc4149549790cb8e73adfd72576e089264b31a1fd0c1d7dabd918880492a201
                                              • Opcode Fuzzy Hash: d029cfdf909b41df1ff79aa18a0573e72421ac053232913b44271df8a76549b4
                                              • Instruction Fuzzy Hash: B3317C31E0020A9BCF09CFA5D8A0BDEB7B2FF89314F548519E905AB340EB709846CB90
                                              Function 02DF9260 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b47beba39160c1ff30fad53ccb321c99958e7efa20baf11c7d85c88abe8741be
                                              • Instruction ID: d34770348f1f842185388afe7395418f03a300e6e296c688239fd4c7b909efbd
                                              • Opcode Fuzzy Hash: b47beba39160c1ff30fad53ccb321c99958e7efa20baf11c7d85c88abe8741be
                                              • Instruction Fuzzy Hash: 04218C31E0020A9BDF09DFA5D4A0B9EB7B2FF89300F50C529E905AB340DB70A846CB90
                                              Function 02DF16A0 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d52a645cb3e4ceee8b6ba6be14d48ad3281ca8eb25d7db794d324d759db0944b
                                              • Instruction ID: 3f096e04ca2b1f885791592875f6abffe58628a80d2665fd6b2cad8bb11b19fa
                                              • Opcode Fuzzy Hash: d52a645cb3e4ceee8b6ba6be14d48ad3281ca8eb25d7db794d324d759db0944b
                                              • Instruction Fuzzy Hash: 45212674200206EBDF5AEB28E8D47993765EB40344F215A26E50ECB359EF30DC81DBD6
                                              Function 02DF9150 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8de7054ba89f95f6e09d3f1df07c39feda030c62fb52a7d8de76dd85ec4054d8
                                              • Instruction ID: 82fabf350a33ab23e1074eaacfe953a4d44d7c6a7038c79adb08660432f7e222
                                              • Opcode Fuzzy Hash: 8de7054ba89f95f6e09d3f1df07c39feda030c62fb52a7d8de76dd85ec4054d8
                                              • Instruction Fuzzy Hash: 5F218E34E0020A8BDB18CFA4D854BDEB7B2EF89300F51862AE916E7341EB709D46CB54
                                              Function 02DF4F88 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8cec410515b30d606858d8f8c866239d54255275b4d13963003f46f21393129a
                                              • Instruction ID: 24f28aa17b2bc71512da894a47a94c9ee297fcbc4555b3aec27ca45b320c45b3
                                              • Opcode Fuzzy Hash: 8cec410515b30d606858d8f8c866239d54255275b4d13963003f46f21393129a
                                              • Instruction Fuzzy Hash: E0214834700209CFCB98DB78D558BAD77F1AF48300F214468E606EB7A4EB329D04CBA4
                                              Function 0133D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3349569656.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_133d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 80e85aa24129dd6564dc37119324fb1e4bc04b1caec0949a0f4808747f815ea7
                                              • Instruction ID: 2dc08091e446cca7a1fea404f72e6d366bdf166e0717f03bd68ec9b5a3f4dc36
                                              • Opcode Fuzzy Hash: 80e85aa24129dd6564dc37119324fb1e4bc04b1caec0949a0f4808747f815ea7
                                              • Instruction Fuzzy Hash: B52142B1604204DFCB15CF68D9C0B26FB65FBC4B18F60C96DE80A4B246C33AC447CA61
                                              Function 02DF1380 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 900f1d6112b01aa167862a848a74b39ed844b440845bb9a814e1001af2e36c88
                                              • Instruction ID: 2f1926365d29d17897ec5cd5d3ed95eeb4e791eb3b82079a0c3b020e8f7805f9
                                              • Opcode Fuzzy Hash: 900f1d6112b01aa167862a848a74b39ed844b440845bb9a814e1001af2e36c88
                                              • Instruction Fuzzy Hash: E221E470A00315DFDF796628D4983AD3AA5E746315F12082AF64BCB381DF29CC81C78A
                                              Function 02DF9160 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 87b03b9d9178c2370327546b54dafa60bea580e7af9ad2f6af60a3e42473b1f3
                                              • Instruction ID: 7cc033efe10d8b14f59fcebc9f8328f7c5cb741baab4b307788c1c36ca5df109
                                              • Opcode Fuzzy Hash: 87b03b9d9178c2370327546b54dafa60bea580e7af9ad2f6af60a3e42473b1f3
                                              • Instruction Fuzzy Hash: 12214F34E0020A9BDB18CFA5D854BDEB7B2AF89310F51862AE915F7340EB71AD46CB54
                                              Function 02DF1888 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ba3cacbd951d40d1dbda695c3c2571e98c855fd1ec8fede9e43ce23cc6ec2f97
                                              • Instruction ID: cc9c64c43fe544d00a701aad55af1917c5b6c27bc578de967c90d984b5e18247
                                              • Opcode Fuzzy Hash: ba3cacbd951d40d1dbda695c3c2571e98c855fd1ec8fede9e43ce23cc6ec2f97
                                              • Instruction Fuzzy Hash: C5213930B00208CFDB94EB78C5547AE77F2AF49244F210468D61AEB364EB32CD40CBA5
                                              Function 02DF16B0 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 011a3d1ea9d4884d498929d78784f2085cc4c7bd27ad0c71ee1b8c84ff839016
                                              • Instruction ID: b41f4628e6111ccba7dfae8a66842e04be382ab8e9d4550f9bd965a9ec565f87
                                              • Opcode Fuzzy Hash: 011a3d1ea9d4884d498929d78784f2085cc4c7bd27ad0c71ee1b8c84ff839016
                                              • Instruction Fuzzy Hash: 6121DF78210207EBDF69EB28E894B593725EB44344F115A26E10ECB359DF30DC80DBD6
                                              Function 02DF187A Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 186f58e90d75036335c1fc97e27b1e641c469c77896b691a2075d3e5d43688c3
                                              • Instruction ID: f59e7cfba520b413574a3734773e08050641505aa3e04e26eb8022b4120df1bb
                                              • Opcode Fuzzy Hash: 186f58e90d75036335c1fc97e27b1e641c469c77896b691a2075d3e5d43688c3
                                              • Instruction Fuzzy Hash: 2E213930B00204CFDB94EB78C6557AD77F2AF49204F110468CA1AEB364EB32CD00CBA9
                                              Function 02DF4F98 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eec700f7dcee6ef56dfc2cc01723c374f9bcc16a2dd3c49a0d0b5a61eee9900b
                                              • Instruction ID: 1e64bd1ade2a4590447a233d5314b6e9f396532a4586a9e8e965ece8c8a3d70e
                                              • Opcode Fuzzy Hash: eec700f7dcee6ef56dfc2cc01723c374f9bcc16a2dd3c49a0d0b5a61eee9900b
                                              • Instruction Fuzzy Hash: E821E734700209CFDB98EB78D558AAD77F5AF49304F214468E606EB7A4EB329D04CBA5
                                              Function 0133D006 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3349569656.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_133d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 139f0e0322f11e22d469c3a8d89c068f74197073a8813046a57fb62c0838b3ee
                                              • Instruction ID: 0e9f2b1c6f54fc63d9ca3fa6ef99b815a02526b3237edf2ce4323ca9257d0544
                                              • Opcode Fuzzy Hash: 139f0e0322f11e22d469c3a8d89c068f74197073a8813046a57fb62c0838b3ee
                                              • Instruction Fuzzy Hash: E12180755083809FCB02CF64D994B11BF71EB86618F28C5DAD8498F267C33AD85ACB62
                                              Function 02DF17C2 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 57192cd1d07779eefcf39a4966622dbbc34c9c1b4982ad31781f5f4ac92846cf
                                              • Instruction ID: bc0f5aea3e197fb495ecdc59c1f5866d11f1140b0e2012708fbcf56d08c730bd
                                              • Opcode Fuzzy Hash: 57192cd1d07779eefcf39a4966622dbbc34c9c1b4982ad31781f5f4ac92846cf
                                              • Instruction Fuzzy Hash: BA110276B00212EBDF84AB79984879F7BE5FB88650F010425EA09D3341EB30CD01C7D0
                                              Function 02DF0848 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 24f490c5e4cf49f27e90f5a3e378acdee513e03968b5d1efbedca02ceb13ef70
                                              • Instruction ID: e1f8c5ab7bd0e4f176b44eb86b0f5d91b893592a36c2c6b9f47c6cb60d45e236
                                              • Opcode Fuzzy Hash: 24f490c5e4cf49f27e90f5a3e378acdee513e03968b5d1efbedca02ceb13ef70
                                              • Instruction Fuzzy Hash: 9311C430B002095BDF947B79C45076D3261EB45222F224979E606CB34BDF60DC81CBD5
                                              Function 02DF0838 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 810d1738af77014fe158bd3741978ff2aab9b710032b729fe7737686a4ef2976
                                              • Instruction ID: 56abf22f6a111c0e6704a26976b45a065f3fd790eb444b8991dcc7839603a6d8
                                              • Opcode Fuzzy Hash: 810d1738af77014fe158bd3741978ff2aab9b710032b729fe7737686a4ef2976
                                              • Instruction Fuzzy Hash: 63110631A002055BEFA4BA74C45036E3251EB45326F264D39E643CB34BDB64DC81CBD9
                                              Function 02DF80F1 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 24e4b186ed068eb3b661d2e6424d279ed87163a445f5dea66b3209092809db96
                                              • Instruction ID: d5490f04ac843c4a8bd07302f3dc6741ad924544754c9c5789c2bad6fc108f70
                                              • Opcode Fuzzy Hash: 24e4b186ed068eb3b661d2e6424d279ed87163a445f5dea66b3209092809db96
                                              • Instruction Fuzzy Hash: 7D118E7060020AEFDF05EB68E990B9DBBB1EB44304F109A79E905DB354DF319E45AB92
                                              Function 02DF148E Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c344e707d3461256c1aa333fd378672180c87a8d34515941f1fb7865cc6c8a55
                                              • Instruction ID: 9b89720debf22b7d9446ac5bdb9fc26ac4829dd1d3688f361eaa26bf55c2892f
                                              • Opcode Fuzzy Hash: c344e707d3461256c1aa333fd378672180c87a8d34515941f1fb7865cc6c8a55
                                              • Instruction Fuzzy Hash: 74118235A00215DFCB51EFB888502AE7BF6EF48215F16007AD909E7345E731DD41CBA5
                                              Function 02DF1498 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b6dc4be234c977f8f6dbf1e7903bea0ba803b455194cbd80944e425292570d0c
                                              • Instruction ID: 75bcf898f7b2f9a02849aeb09949f6b745cbcbd9f6949aaf44daf5cf469449af
                                              • Opcode Fuzzy Hash: b6dc4be234c977f8f6dbf1e7903bea0ba803b455194cbd80944e425292570d0c
                                              • Instruction Fuzzy Hash: 86015E71A00215DFCB51EFB888502AE76F6EF88211F260479D509E7345E735DD41CBA9
                                              Function 02DF9898 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 42d449e006b0581e342e403b50c5ff249c8b6b2b09bdd7ba610c1a45601d9a8a
                                              • Instruction ID: 7578d6fa09e82283330e45516c051828e17268a9c9ea28bb83cb74413864795b
                                              • Opcode Fuzzy Hash: 42d449e006b0581e342e403b50c5ff249c8b6b2b09bdd7ba610c1a45601d9a8a
                                              • Instruction Fuzzy Hash: 6701B530A002048BCB14EF59D98478EBB75FF84311F558568DC0C6B299DB74AD45CBE1
                                              Function 02DF40FF Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3486d65a18d6fa4c0fc7ad6dff733219587cdaca18e03f59496714cc9da32e80
                                              • Instruction ID: 8e53708cd8719d533fb0be3fe61d8d0a3b3b83aa5112e78ae987bfb3509d2280
                                              • Opcode Fuzzy Hash: 3486d65a18d6fa4c0fc7ad6dff733219587cdaca18e03f59496714cc9da32e80
                                              • Instruction Fuzzy Hash: DC111B30D04209DECFB4DB94D9887EEB772AF6131AF162029D211B22A4EB304DC9CF19
                                              Function 02DF1524 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d3090f828c6ca77c0d3f3aabc8d269cedd194e92cc17f95541d2362bff323f0
                                              • Instruction ID: 93b50dacd1f06aad63d2cbc6b2647f99f5e5d7317d5254a415315e5a9887482d
                                              • Opcode Fuzzy Hash: 1d3090f828c6ca77c0d3f3aabc8d269cedd194e92cc17f95541d2362bff323f0
                                              • Instruction Fuzzy Hash: 2DF02B77A08150DFD7628BA488901AC7B71FF94211B1B00D7CA4ADB356D735DC42CB19
                                              Function 02DF7090 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cbcff5d5c9d3ea6543eea3fe6e7ef8c6cc1c61566617dd5a8dac1d1d1eb2f93d
                                              • Instruction ID: 77b22170098c1e1d7d101ae458b014f9eab1e6c7ba5d93f70f57eb29b2903b29
                                              • Opcode Fuzzy Hash: cbcff5d5c9d3ea6543eea3fe6e7ef8c6cc1c61566617dd5a8dac1d1d1eb2f93d
                                              • Instruction Fuzzy Hash: 66F0EC39B00218CFCB08DB64D699BADB7B2EF89715F114068E6069B3A5DF31AD42DB40
                                              Function 02DF8100 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c25ab5c62b1e9bb38dbb8df4240a9acd45774e82a93a5ca770c9e9446e5de7e
                                              • Instruction ID: d36366ffed94d5d868ead49f96f7bc819bcbeafb2a0c98d3ef50cf6df437f9c7
                                              • Opcode Fuzzy Hash: 5c25ab5c62b1e9bb38dbb8df4240a9acd45774e82a93a5ca770c9e9446e5de7e
                                              • Instruction Fuzzy Hash: 67F0317491010EEFCF09FFB8F990A9D77B1EB44304F509A79C905AB254DE312E54AB91

                                              Non-executed Functions

                                              Function 06465000 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3377147407.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_6460000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $sq$$sq$$sq$$sq$$sq$$sq$$sq$$sq$$sq$$sq
                                              • API String ID: 0-4253766512
                                              • Opcode ID: 49298e02a65225b23111f99c62dd89a1356c4bb03fcb1ddcfa765b77017d2541
                                              • Instruction ID: e8ad0a1b8b08b6c7665020f21ebc2c4b2cb260a7a944673ba0bd4a9569d7c4ca
                                              • Opcode Fuzzy Hash: 49298e02a65225b23111f99c62dd89a1356c4bb03fcb1ddcfa765b77017d2541
                                              • Instruction Fuzzy Hash: 6B123070E00219CFDB69DF65D894A9EB7B2FF89300F20856AE409AB355DB309D85CF51
                                              Function 06463250 Relevance: 2.9, Strings: 2, Instructions: 407COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3377147407.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_6460000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: XPxq$\Oxq
                                              • API String ID: 0-1810105689
                                              • Opcode ID: 9ed1cca39419231288ce49320f37465b0155bbd6ca1b6c4ff90cb6c08786dfce
                                              • Instruction ID: 8dc2a38b09bd781859d8e23851c05c71ea7184e79431adaba24086444d3acc53
                                              • Opcode Fuzzy Hash: 9ed1cca39419231288ce49320f37465b0155bbd6ca1b6c4ff90cb6c08786dfce
                                              • Instruction Fuzzy Hash: 21D1E231B101548FDB66DF6AD480AAEBBB2FF89310F25946BE406DB351CA35DC42C792
                                              Function 02DF41C8 Relevance: .3, Instructions: 281COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.3350336235.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2df0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1372443e6a2cd2a23db93db02c5ab16b95e299e0caab5de3a6c81ba0eb100918
                                              • Instruction ID: 58d1fcb67a8396f8a0fdbcb47468ff0ef5dff3730660d9be0a791727d94a0cac
                                              • Opcode Fuzzy Hash: 1372443e6a2cd2a23db93db02c5ab16b95e299e0caab5de3a6c81ba0eb100918
                                              • Instruction Fuzzy Hash: 41B15B70E00209CFDB50CFA9D9857AEBBF2AF88314F158129EA15A7394EB749C45CF85