Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation For Inverter.exe

Overview

General Information

Sample name:Quotation For Inverter.exe
Analysis ID:1446074
MD5:9c45e536f5c88334f24cab2ab89ee21e
SHA1:586564ab3bd5ea6c329d91af2cb90c62593cc5f9
SHA256:26519d3b87b0bce9cacd121c6837fdf4e91500b52c14735068bb495f04fe1852
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quotation For Inverter.exe (PID: 2744 cmdline: "C:\Users\user\Desktop\Quotation For Inverter.exe" MD5: 9C45E536F5C88334F24CAB2AB89EE21E)
    • powershell.exe (PID: 5720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 3472 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 4892 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 6496 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: DC67ADE51149EC0C373A379473895BA1)
      • WerFault.exe (PID: 3268 cmdline: C:\Windows\system32\WerFault.exe -u -p 6496 -s 12 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • KaCTPSocApHQCE.exe (PID: 2792 cmdline: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe MD5: 9C45E536F5C88334F24CAB2AB89EE21E)
    • schtasks.exe (PID: 2720 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpC4D5.tmp" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 4608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 5476 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: DC67ADE51149EC0C373A379473895BA1)
      • WerFault.exe (PID: 6492 cmdline: C:\Windows\system32\WerFault.exe -u -p 5476 -s 12 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.lucky-tours.com", "Username": "mohamed.sabry@lucky-tours.com", "Password": "Moh!@#123"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.KaCTPSocApHQCE.exe.132400c0.14.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              11.2.KaCTPSocApHQCE.exe.132400c0.14.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                11.2.KaCTPSocApHQCE.exe.132400c0.14.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x31729:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3179b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x31825:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x318b7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31921:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31993:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31a29:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31ab9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.Quotation For Inverter.exe.13e8e8c0.12.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.Quotation For Inverter.exe.13e8e8c0.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 21 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
                    Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation For Inverter.exe", ParentImage: C:\Users\user\Desktop\Quotation For Inverter.exe, ParentProcessId: 2744, ParentProcessName: Quotation For Inverter.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ProcessId: 6496, ProcessName: RegSvcs.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation For Inverter.exe", ParentImage: C:\Users\user\Desktop\Quotation For Inverter.exe, ParentProcessId: 2744, ParentProcessName: Quotation For Inverter.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe", ProcessId: 5720, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation For Inverter.exe", ParentImage: C:\Users\user\Desktop\Quotation For Inverter.exe, ParentProcessId: 2744, ParentProcessName: Quotation For Inverter.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe", ProcessId: 5720, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpC4D5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpC4D5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe, ParentImage: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe, ParentProcessId: 2792, ParentProcessName: KaCTPSocApHQCE.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpC4D5.tmp", ProcessId: 2720, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation For Inverter.exe", ParentImage: C:\Users\user\Desktop\Quotation For Inverter.exe, ParentProcessId: 2744, ParentProcessName: Quotation For Inverter.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp", ProcessId: 4892, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation For Inverter.exe", ParentImage: C:\Users\user\Desktop\Quotation For Inverter.exe, ParentProcessId: 2744, ParentProcessName: Quotation For Inverter.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe", ProcessId: 5720, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation For Inverter.exe", ParentImage: C:\Users\user\Desktop\Quotation For Inverter.exe, ParentProcessId: 2744, ParentProcessName: Quotation For Inverter.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp", ProcessId: 4892, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.lucky-tours.com", "Username": "mohamed.sabry@lucky-tours.com", "Password": "Moh!@#123"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeReversingLabs: Detection: 39%
                    Multi AV Scanner detection for submitted file
                    Source: Quotation For Inverter.exeReversingLabs: Detection: 39%
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: Quotation For Inverter.exeJoe Sandbox ML: detected
                    Source: Quotation For Inverter.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: rXza.pdb source: Quotation For Inverter.exe, KaCTPSocApHQCE.exe.0.dr
                    Source: Binary string: rXza.pdbSHA256+ source: Quotation For Inverter.exe, KaCTPSocApHQCE.exe.0.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, type: UNPACKEDPE
                    Source: Quotation For Inverter.exe, 00000000.00000002.2131184671.0000000003C6E000.00000004.00000800.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2139393756.0000000002FB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Quotation For Inverter.exe, 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, Quotation For Inverter.exe, 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Quotation For Inverter.exe, 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, Quotation For Inverter.exe, 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, J4qms1IPBw.cs.Net Code: m1HBzQVNvl
                    Source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, J4qms1IPBw.cs.Net Code: m1HBzQVNvl
                    Source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpack, J4qms1IPBw.cs.Net Code: m1HBzQVNvl
                    Source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.raw.unpack, J4qms1IPBw.cs.Net Code: m1HBzQVNvl

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Quotation For Inverter.exe.13ec9300.11.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Quotation For Inverter.exe
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeCode function: 0_2_00007FFD347D39B80_2_00007FFD347D39B8
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeCode function: 0_2_00007FFD347D2C880_2_00007FFD347D2C88
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeCode function: 0_2_00007FFD347D2BE80_2_00007FFD347D2BE8
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeCode function: 0_2_00007FFD347D6DBA0_2_00007FFD347D6DBA
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeCode function: 0_2_00007FFD347D9B4C0_2_00007FFD347D9B4C
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeCode function: 0_2_00007FFD347D43800_2_00007FFD347D4380
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeCode function: 11_2_00007FFD347F39B811_2_00007FFD347F39B8
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeCode function: 11_2_00007FFD347F2C8811_2_00007FFD347F2C88
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeCode function: 11_2_00007FFD347F2BE811_2_00007FFD347F2BE8
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeCode function: 11_2_00007FFD347F6DBA11_2_00007FFD347F6DBA
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeCode function: 11_2_00007FFD347F9B4C11_2_00007FFD347F9B4C
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeCode function: 11_2_00007FFD347F438011_2_00007FFD347F4380
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6496 -s 12
                    Source: KaCTPSocApHQCE.exe.0.drStatic PE information: No import functions for PE file found
                    Source: Quotation For Inverter.exeStatic PE information: No import functions for PE file found
                    Source: Quotation For Inverter.exe, 00000000.00000002.2130759369.0000000001A40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAxiom.dll@ vs Quotation For Inverter.exe
                    Source: Quotation For Inverter.exe, 00000000.00000002.2132764090.0000000013BBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAxiom.dll@ vs Quotation For Inverter.exe
                    Source: Quotation For Inverter.exe, 00000000.00000002.2130806953.0000000001A70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Quotation For Inverter.exe
                    Source: Quotation For Inverter.exe, 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename07c9e81c-d51c-4388-94b3-3ce637764a81.exe4 vs Quotation For Inverter.exe
                    Source: Quotation For Inverter.exe, 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Quotation For Inverter.exe
                    Source: Quotation For Inverter.exe, 00000000.00000000.2089158911.0000000000624000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerXza.exe4 vs Quotation For Inverter.exe
                    Source: Quotation For Inverter.exe, 00000000.00000002.2131184671.0000000004101000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Quotation For Inverter.exe
                    Source: Quotation For Inverter.exe, 00000000.00000002.2131184671.000000000414D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Quotation For Inverter.exe
                    Source: Quotation For Inverter.exe, 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerS# vs Quotation For Inverter.exe
                    Source: Quotation For Inverter.exe, 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename07c9e81c-d51c-4388-94b3-3ce637764a81.exe4 vs Quotation For Inverter.exe
                    Source: Quotation For Inverter.exe, 00000000.00000002.2134871247.000000001DF10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Quotation For Inverter.exe
                    Source: Quotation For Inverter.exe, 00000000.00000002.2131184671.0000000003C6E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename07c9e81c-d51c-4388-94b3-3ce637764a81.exe4 vs Quotation For Inverter.exe
                    Source: Quotation For Inverter.exeBinary or memory string: OriginalFilenamerXza.exe4 vs Quotation For Inverter.exe
                    Source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Quotation For Inverter.exe.13ec9300.11.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Quotation For Inverter.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: KaCTPSocApHQCE.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, Lds5plxAPDj.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, LZYJybC.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, wDxPSW1p.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, E0w8WLnyggK.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, ZBSJHga2buE.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, M4oIYVa.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, kSS2HMsB8.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, kSS2HMsB8.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/11@0/0
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeFile created: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeMutant created: \Sessions\1\BaseNamedObjects\oKANYrPniqsnxP
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6496
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3704:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4608:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5476
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBEAB.tmpJump to behavior
                    Source: Quotation For Inverter.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Quotation For Inverter.exeReversingLabs: Detection: 39%
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeFile read: C:\Users\user\Desktop\Quotation For Inverter.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Quotation For Inverter.exe "C:\Users\user\Desktop\Quotation For Inverter.exe"
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6496 -s 12
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpC4D5.tmp"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5476 -s 12
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpC4D5.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Quotation For Inverter.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Quotation For Inverter.exeStatic PE information: Image base 0x140000000 > 0x60000000
                    Source: Quotation For Inverter.exeStatic file information: File size 1089024 > 1048576
                    Source: Quotation For Inverter.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Quotation For Inverter.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: rXza.pdb source: Quotation For Inverter.exe, KaCTPSocApHQCE.exe.0.dr
                    Source: Binary string: rXza.pdbSHA256+ source: Quotation For Inverter.exe, KaCTPSocApHQCE.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: Quotation For Inverter.exe, Form11.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: KaCTPSocApHQCE.exe.0.dr, Form11.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: Quotation For Inverter.exeStatic PE information: 0xE3CFB179 [Sun Feb 11 13:36:57 2091 UTC]
                    Source: Quotation For Inverter.exeStatic PE information: section name: .text entropy: 7.932481409512327
                    Source: KaCTPSocApHQCE.exe.0.drStatic PE information: section name: .text entropy: 7.932481409512327
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeFile created: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeMemory allocated: E50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeMemory allocated: 1BBB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeMemory allocated: AD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeMemory allocated: 1AF60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5452Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4379Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exe TID: 612Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6884Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe TID: 5320Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Quotation For Inverter.exe, 00000000.00000002.2135269832.000000001F252000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe"
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe"Jump to behavior
                    Modifies the context of a thread in another process (thread injection)
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeThread register set: target process: 6496Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeThread register set: target process: 5476Jump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 630A22010Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 607A1CB010Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpC4D5.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeQueries volume information: C:\Users\user\Desktop\Quotation For Inverter.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeQueries volume information: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation For Inverter.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13ec9300.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation For Inverter.exe PID: 2744, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: KaCTPSocApHQCE.exe PID: 2792, type: MEMORYSTR
                    Source: Yara matchFile source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13ec9300.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation For Inverter.exe PID: 2744, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: KaCTPSocApHQCE.exe PID: 2792, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13ec9300.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.KaCTPSocApHQCE.exe.1327ab00.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.KaCTPSocApHQCE.exe.132400c0.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13ec9300.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation For Inverter.exe.13e8e8c0.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation For Inverter.exe PID: 2744, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: KaCTPSocApHQCE.exe PID: 2792, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		211
                    Process Injection                    		1
                    Masquerading                    		1
                    Input Capture                    		111
                    Security Software Discovery                    		Remote Services1
                    Input Capture                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		41
                    Virtualization/Sandbox Evasion                    		Security Account Manager41
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook211
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain Credentials12
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Timestomp                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    DLL Side-Loading                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446074 Sample: Quotation For Inverter.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 11 other signatures 2->46 7 Quotation For Inverter.exe 7 2->7         started        11 KaCTPSocApHQCE.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\...\KaCTPSocApHQCE.exe, PE32+ 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmpBEAB.tmp, XML 7->38 dropped 48 Writes to foreign memory regions 7->48 50 Modifies the context of a thread in another process (thread injection) 7->50 52 Adds a directory exclusion to Windows Defender 7->52 13 powershell.exe 23 7->13         started        16 schtasks.exe 1 7->16         started        18 RegSvcs.exe 7->18         started        54 Multi AV Scanner detection for dropped file 11->54 56 Machine Learning detection for dropped file 11->56 20 schtasks.exe 1 11->20         started        22 RegSvcs.exe 11->22         started        signatures5 process6 signatures7 58 Loading BitLocker PowerShell Module 13->58 24 WmiPrvSE.exe 13->24         started        26 conhost.exe 13->26         started        28 conhost.exe 16->28         started        30 WerFault.exe 2 18->30         started        32 conhost.exe 20->32         started        34 WerFault.exe 4 22->34         started        process8

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Quotation For Inverter.exe39%ReversingLabsByteCode-MSIL.Trojan.FormBook
                    Quotation For Inverter.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe39%ReversingLabsByteCode-MSIL.Trojan.FormBook

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://api.ipify.orgQuotation For Inverter.exe, 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, Quotation For Inverter.exe, 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://account.dyn.com/Quotation For Inverter.exe, 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, Quotation For Inverter.exe, 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQuotation For Inverter.exe, 00000000.00000002.2131184671.0000000003C6E000.00000004.00000800.00020000.00000000.sdmp, KaCTPSocApHQCE.exe, 0000000B.00000002.2139393756.0000000002FB4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1446074
                    Start date and time:2024-05-22 22:18:32 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 42s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:20
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Quotation For Inverter.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@18/11@0/0
                    EGA Information:
                    • Successful, ratio: 50%
                    HCA Information:
                    • Successful, ratio: 61%
                    • Number of executed functions: 76
                    • Number of non-executed functions: 3
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target Quotation For Inverter.exe, PID 2744 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: Quotation For Inverter.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    16:19:21API Interceptor2x Sleep call for process: Quotation For Inverter.exe modified
                    16:19:23API Interceptor2x Sleep call for process: KaCTPSocApHQCE.exe modified
                    16:19:23API Interceptor21x Sleep call for process: powershell.exe modified
                    22:19:23Task SchedulerRun new task: KaCTPSocApHQCE path: C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KaCTPSocApHQCE.exe.log

                    Download File
                    Process:C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):1709
                    Entropy (8bit):5.377336296194291
                    Encrypted:false
                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPHKe6hAHKKkKtHTHq+vxp3/elT:iq+wmj0qCYqGSI6oPq1eqKkKtzHNZp/E
                    MD5:D9B2E6673099E58B866163E07A15761D
                    SHA1:F6E8FC777DCBE6C7CF8211E7461FABA4DC1C3A12
                    SHA-256:4DF15A48E9C2AD5C7FA6DF02FEE3F407F018A44306E5FBC776B8573781533C3D
                    SHA-512:31A24D8D7D860BDD7BCD377FB2D517C60957E1C5B5B8C014566B27214541CE4B53190B910243BF0FFD3A772C6713045F34059F330826605887894992F02C39CE
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dat

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Quotation For Inverter.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\Quotation For Inverter.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):1709
                    Entropy (8bit):5.377336296194291
                    Encrypted:false
                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPHKe6hAHKKkKtHTHq+vxp3/elT:iq+wmj0qCYqGSI6oPq1eqKkKtzHNZp/E
                    MD5:D9B2E6673099E58B866163E07A15761D
                    SHA1:F6E8FC777DCBE6C7CF8211E7461FABA4DC1C3A12
                    SHA-256:4DF15A48E9C2AD5C7FA6DF02FEE3F407F018A44306E5FBC776B8573781533C3D
                    SHA-512:31A24D8D7D860BDD7BCD377FB2D517C60957E1C5B5B8C014566B27214541CE4B53190B910243BF0FFD3A772C6713045F34059F330826605887894992F02C39CE
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dat

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):64
                    Entropy (8bit):1.1940658735648508
                    Encrypted:false
                    SSDEEP:3:Nlllul3nqth:NllUa
                    MD5:851531B4FD612B0BC7891B3F401A478F
                    SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                    SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                    SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                    Malicious:false
                    Preview:@...e.................................&..............@..........

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_han14qxc.v4g.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktgcmbfk.hij.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_of5t1xhi.qy5.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfsci01p.jbp.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp

                    Download File
                    Process:C:\Users\user\Desktop\Quotation For Inverter.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):1601
                    Entropy (8bit):5.103299437112385
                    Encrypted:false
                    SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLP8oah:cge7QYrFdOFzOzN33ODOiDdKrsuTAbv
                    MD5:DCB23C3381B0936419B56566D989107A
                    SHA1:38A5214CB4619767A5E59DDD73BDCD2DC2E0C9C8
                    SHA-256:B57D5B0AB6480E872CB329E34AA815316093A529562D7224235A10ABB322F9BF
                    SHA-512:003387D8D0129BB0D5779ACBF1F1527D2FEF7A4C907A1ED3E2B2AD1065038022984F52F14405D54FBE9F308F1414F23759DCAEC7D5E4597B0F787FC1FCBE8E51
                    Malicious:true
                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                    C:\Users\user\AppData\Local\Temp\tmpC4D5.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):1601
                    Entropy (8bit):5.103299437112385
                    Encrypted:false
                    SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLP8oah:cge7QYrFdOFzOzN33ODOiDdKrsuTAbv
                    MD5:DCB23C3381B0936419B56566D989107A
                    SHA1:38A5214CB4619767A5E59DDD73BDCD2DC2E0C9C8
                    SHA-256:B57D5B0AB6480E872CB329E34AA815316093A529562D7224235A10ABB322F9BF
                    SHA-512:003387D8D0129BB0D5779ACBF1F1527D2FEF7A4C907A1ED3E2B2AD1065038022984F52F14405D54FBE9F308F1414F23759DCAEC7D5E4597B0F787FC1FCBE8E51
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                    C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe

                    Download File
                    Process:C:\Users\user\Desktop\Quotation For Inverter.exe
                    File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):1089024
                    Entropy (8bit):7.144093602761971
                    Encrypted:false
                    SSDEEP:12288:7X1iui6yWSKxwk0elr2wuC4bTaOJKxK75xi817KsmExR+ZImobjP:BdSKxw3eYhC4naOhZQIHjP
                    MD5:9C45E536F5C88334F24CAB2AB89EE21E
                    SHA1:586564AB3BD5EA6C329D91AF2CB90C62593CC5F9
                    SHA-256:26519D3B87B0BCE9CACD121C6837FDF4E91500B52C14735068BB495F04FE1852
                    SHA-512:C4C2D7A3296E37E448B7D5580C97CDE6AF431CB07C3E8D18B6D1E0FAB68E47662605E7FA44273EDA7F2B81907BF3D7A01847DED03FEACBD80355C0F69A51B2EF
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 39%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...y............."...0.................. .....@..... ....................................@...@......@............... ............................... .................................p............................................................ ..H............text........ ...................... ..`.rsrc....... ......................@..@........................................H..........0;..........................................................^..}.....(.......(.....*.0...........s".....o......(.....*".(.....*..0..+.........,..{.......+....,...{....o........(.....*..0..p.........s....}.....s....}.....s....}.....(......{.... P... ....s....o......{....r...po......{.... .....6s....o......{.....o......{....r...po......{.....o......{...........s....o......{.... P... V...s....o......{....r)..po......{.... .....6s....o......{.....o......{....r9..po......{....

                    C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe:Zone.Identifier

                    Download File
                    Process:C:\Users\user\Desktop\Quotation For Inverter.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:false
                    Preview:[ZoneTransfer]....ZoneId=0

                    Static File Info

                    General

                    File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.144093602761971
                    TrID:
                    • Win64 Executable GUI (202006/5) 92.65%
                    • Win64 Executable (generic) (12005/4) 5.51%
                    • Generic Win/DOS Executable (2004/3) 0.92%
                    • DOS Executable Generic (2002/1) 0.92%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:Quotation For Inverter.exe
                    File size:1'089'024 bytes
                    MD5:9c45e536f5c88334f24cab2ab89ee21e
                    SHA1:586564ab3bd5ea6c329d91af2cb90c62593cc5f9
                    SHA256:26519d3b87b0bce9cacd121c6837fdf4e91500b52c14735068bb495f04fe1852
                    SHA512:c4c2d7a3296e37e448b7d5580c97cde6af431cb07c3e8d18b6d1e0fab68e47662605e7fa44273eda7f2b81907bf3d7a01847ded03feacbd80355c0f69a51b2ef
                    SSDEEP:12288:7X1iui6yWSKxwk0elr2wuC4bTaOJKxK75xi817KsmExR+ZImobjP:BdSKxw3eYhC4naOhZQIHjP
                    TLSH:9E35BE8F29168C5AD4E4BFB068B5558B2A339CBA0014D283EDDFFEACBE7134412C655D
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...y............."...0.................. .....@..... ....................................@...@......@............... .....

                    File Icon

                    Icon Hash:cf81959919251b03

                    Static PE Info

                    General

                    Entrypoint:0x140000000
                    Entrypoint Section:
                    Digitally signed:false
                    Imagebase:0x140000000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0xE3CFB179 [Sun Feb 11 13:36:57 2091 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:

                    Entrypoint Preview

                    Instruction
                    dec ebp
                    pop edx
                    nop
                    add byte ptr [ebx], al
                    add byte ptr [eax], al
                    add byte ptr [eax+eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x5abd4.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0xaeffc0x70.text
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000xaef060xaf000a84929960b195395e032eb09617181fcFalse0.9207240513392857data7.932481409512327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0xb20000x5abd40x5ac00746052510f467b609d9b10451aa51845False0.1513752582644628data4.5499872122298335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0xb22200x42028Device independent bitmap graphic, 256 x 512 x 32, image size 2621440.11193301180578158
                    RT_ICON0xf42480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.1927865846445049
                    RT_ICON0x104a700x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.3305975436939065
                    RT_ICON0x108c980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.41026970954356845
                    RT_ICON0x10b2400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.5562851782363978
                    RT_ICON0x10c2e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.7792553191489362
                    RT_GROUP_ICON0x10c7500x5adata0.7222222222222222
                    RT_VERSION0x10c7ac0x23cdata0.47027972027972026
                    RT_MANIFEST0x10c9e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                    Network Behavior

                    No network behavior found

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:16:19:20
                    Start date:22/05/2024
                    Path:C:\Users\user\Desktop\Quotation For Inverter.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\Desktop\Quotation For Inverter.exe"
                    Imagebase:0x520000
                    File size:1'089'024 bytes
                    MD5 hash:9C45E536F5C88334F24CAB2AB89EE21E
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2135269832.000000001F27D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2132764090.0000000013E8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:3
                    Start time:16:19:22
                    Start date:22/05/2024
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe"
                    Imagebase:0x7ff6e3d50000
                    File size:452'608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:16:19:22
                    Start date:22/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff66e660000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:16:19:22
                    Start date:22/05/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpBEAB.tmp"
                    Imagebase:0x7ff635f40000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:6
                    Start time:16:19:22
                    Start date:22/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff66e660000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:7
                    Start time:16:19:22
                    Start date:22/05/2024
                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                    Imagebase:0x1a6b1870000
                    File size:45'472 bytes
                    MD5 hash:DC67ADE51149EC0C373A379473895BA1
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:10
                    Start time:16:19:23
                    Start date:22/05/2024
                    Path:C:\Windows\System32\WerFault.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\WerFault.exe -u -p 6496 -s 12
                    Imagebase:0x7ff746af0000
                    File size:570'736 bytes
                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:11
                    Start time:16:19:23
                    Start date:22/05/2024
                    Path:C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\user\AppData\Roaming\KaCTPSocApHQCE.exe
                    Imagebase:0x80000
                    File size:1'089'024 bytes
                    MD5 hash:9C45E536F5C88334F24CAB2AB89EE21E
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2159136826.0000000013240000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2161143746.000000001E204000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 39%, ReversingLabs
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:12
                    Start time:16:19:24
                    Start date:22/05/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KaCTPSocApHQCE" /XML "C:\Users\user\AppData\Local\Temp\tmpC4D5.tmp"
                    Imagebase:0x7ff635f40000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:13
                    Start time:16:19:24
                    Start date:22/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff66e660000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:14
                    Start time:16:19:24
                    Start date:22/05/2024
                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                    Imagebase:0x18fa2810000
                    File size:45'472 bytes
                    MD5 hash:DC67ADE51149EC0C373A379473895BA1
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:16
                    Start time:16:19:25
                    Start date:22/05/2024
                    Path:C:\Windows\System32\WerFault.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\WerFault.exe -u -p 5476 -s 12
                    Imagebase:0x7ff746af0000
                    File size:570'736 bytes
                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:17
                    Start time:16:19:25
                    Start date:22/05/2024
                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Imagebase:0x7ff717f30000
                    File size:496'640 bytes
                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                    Has elevated privileges:true
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    Disassembly

                    Reset < >

                      Executed Functions

                      Function 00007FFD347D39B8 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID: o/vS
                      • API String ID: 0-4195870634
                      • Opcode ID: e39e231b030c75b2673e08fe51199f694864533a81be5dbfa9b1f843fb750a91
                      • Instruction ID: 77611bd53ec1180e2133f66027864e40a167726e8ee4f942717e8d1e9924f054
                      • Opcode Fuzzy Hash: e39e231b030c75b2673e08fe51199f694864533a81be5dbfa9b1f843fb750a91
                      • Instruction Fuzzy Hash: D571796165E3C19FD313973458B56A23FB0AF47214F0A41EBE4C9CB0A3D51C695ED3A2
                      Function 00007FFD347D6DBA Relevance: .3, Instructions: 337COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 87ccd94521228d9e3bfcb2000ec81d3811fff0b3bace70a354dc7fb54cb6da5a
                      • Instruction ID: 34c178265d98133216f2deb96afac17678822f1386d43009b13d1bda179ec290
                      • Opcode Fuzzy Hash: 87ccd94521228d9e3bfcb2000ec81d3811fff0b3bace70a354dc7fb54cb6da5a
                      • Instruction Fuzzy Hash: 54B1A06190E7C58FD31797348CA55A17FB0EF57314B1A42EBD4CACB0A3E51C684AC7A2
                      Function 00007FFD347D4380 Relevance: .2, Instructions: 214COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ffcdd382d6542f593ecfad407e9ce448697eaacc717ce24a55cf0048053672e0
                      • Instruction ID: 6949921cbcfc148bf8157b48f8e5051f8504cdd2d0d9122c859fad5283ae342e
                      • Opcode Fuzzy Hash: ffcdd382d6542f593ecfad407e9ce448697eaacc717ce24a55cf0048053672e0
                      • Instruction Fuzzy Hash: 5761B7B190D3C44FD3169B7488A56627FF1EF57314F0A85EFD089C75A3EA286806C792
                      Function 00007FFD347D113D Relevance: 2.9, Strings: 2, Instructions: 439COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID: %N_H$n#
                      • API String ID: 0-884442346
                      • Opcode ID: 288ebffadb119d9cacdeccf5d93b03875d8d4fb6f3058418b68e9d724445ccbe
                      • Instruction ID: 5d0fbb6e2c03f6ac5da72167c02f6c89f79117c802db4c3793d6b0ba616da64d
                      • Opcode Fuzzy Hash: 288ebffadb119d9cacdeccf5d93b03875d8d4fb6f3058418b68e9d724445ccbe
                      • Instruction Fuzzy Hash: 90F11A70A19A5D8FDB98EF18C8A4AE9B3B1FF69300F1001B9D11DD7296DE35AD81CB40
                      Function 00007FFD347D110D Relevance: 1.8, Strings: 1, Instructions: 560COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID: %N_H
                      • API String ID: 0-2307434723
                      • Opcode ID: c5fd77fcc0bfb0ab21e056f340f7e2c982535603ac76ee39db8a330767a21afd
                      • Instruction ID: ac3e3c855f9828f8dbdfd0588e0628fdb1feae150e94d0e7758a88e7f318dbe5
                      • Opcode Fuzzy Hash: c5fd77fcc0bfb0ab21e056f340f7e2c982535603ac76ee39db8a330767a21afd
                      • Instruction Fuzzy Hash: 94221970A19A4D8FDB98EF58C8A4AE977F1FF69300F1001B9D05DE7296DA35AD81CB40
                      Function 00007FFD347D15E0 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID: %N_H
                      • API String ID: 0-2307434723
                      • Opcode ID: f511d54c2480554db1003a92e0efccc5ced63452a80bf5e3f03c8c6dc262db05
                      • Instruction ID: 103bb10175dfb5b83dc8223b95af53157abecc9298bc3f45a446bdc719640a56
                      • Opcode Fuzzy Hash: f511d54c2480554db1003a92e0efccc5ced63452a80bf5e3f03c8c6dc262db05
                      • Instruction Fuzzy Hash: 3A51F570A19A1D8FDB98EF58C4A4AE9B7F1FF59300F1141A9D05EE7256CA34E981CF40
                      Function 00007FFD347D36E6 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID: )/vS
                      • API String ID: 0-1147723851
                      • Opcode ID: 070b48f8f9f230cb7f0a3194a56897dc46e7e262a61fd8d1243e0f101a7af5a3
                      • Instruction ID: 14d93876501e35877610b1a6f408a33d9ec9927309f0452be53407072a6c9bbc
                      • Opcode Fuzzy Hash: 070b48f8f9f230cb7f0a3194a56897dc46e7e262a61fd8d1243e0f101a7af5a3
                      • Instruction Fuzzy Hash: 0221B2A2F19D094FE7A8EA6C94A57B977E2FF99320F15417AD00DD3292CD28AC424380
                      Function 00007FFD347D3B2F Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID: o/vS
                      • API String ID: 0-4195870634
                      • Opcode ID: e6794f70897e77d78c283e02293050209cd739b2ff88343f0d9bb3f2021f6bc6
                      • Instruction ID: b58ca115cfc251412d8c78cea19f54bcc286974b8a7d2f2e7fdc883889aea823
                      • Opcode Fuzzy Hash: e6794f70897e77d78c283e02293050209cd739b2ff88343f0d9bb3f2021f6bc6
                      • Instruction Fuzzy Hash: AE31A261A1E7C58FE3569B3448A52617FA0BF47304F0A41FBD489C71D3DA2CA81DD3A2
                      Function 00007FFD347D348F Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID: ]/vS
                      • API String ID: 0-2687883136
                      • Opcode ID: 41af6105277cb32d1189a542b65c73a79d4b4e0a68284992d199ec6cc71f4487
                      • Instruction ID: c462e5d50e53976d3a542c7085ad00b9ca0a9a662a63acfa4d17ec603d7f457a
                      • Opcode Fuzzy Hash: 41af6105277cb32d1189a542b65c73a79d4b4e0a68284992d199ec6cc71f4487
                      • Instruction Fuzzy Hash: C611C361B2DA499BE799DA6C94652BD77D2FF8A350F080279E04DD3282DD2CAC0543C1
                      Function 00007FFD347D3B60 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID: o/vS
                      • API String ID: 0-4195870634
                      • Opcode ID: 44871cd1c74f42ec47a849bf7880ab7c61a5720ca6d4b8f09a0cb1bfc6a436b4
                      • Instruction ID: 67f4bed9804cbc0f60d258ea28b727ed1bdd92b08cfdd37037db34ba6dd1079c
                      • Opcode Fuzzy Hash: 44871cd1c74f42ec47a849bf7880ab7c61a5720ca6d4b8f09a0cb1bfc6a436b4
                      • Instruction Fuzzy Hash: 3D118E5161E7C55FD347977848652617FA1AF87204F0A41EBE489C71D3C61C6819D3A2
                      Function 00007FFD347D51CD Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID: C/vS
                      • API String ID: 0-284423980
                      • Opcode ID: ff8b7b3033915dc3768f646874674f29d4ccfa2cb4082bb6f69339fbafc2c769
                      • Instruction ID: 77ac73cc61e574d9235ed9aa9bec8b31c3b5ef0f25b99ed3c24d8fd85b097e60
                      • Opcode Fuzzy Hash: ff8b7b3033915dc3768f646874674f29d4ccfa2cb4082bb6f69339fbafc2c769
                      • Instruction Fuzzy Hash: 5D11CAA1B29A858FF794DB5C88B1268B6E2FF9B340F14817ED14DC61DBDD2CB8098341
                      Function 00007FFD347D3BFD Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID: o/vS
                      • API String ID: 0-4195870634
                      • Opcode ID: 740f3a7edf6622d0f11fc583137b77a6cba2ecf292c2442e39d72d30725351fe
                      • Instruction ID: 2815992d8ec5a3ace0f17b91084b2b2ca0f844337fee8d329ff942451b597d72
                      • Opcode Fuzzy Hash: 740f3a7edf6622d0f11fc583137b77a6cba2ecf292c2442e39d72d30725351fe
                      • Instruction Fuzzy Hash: B1F0E0607297825FE3454B2884A61657BD1EF9B704F08006AE0CDC71C2C62CA80AD342
                      Function 00007FFD347D75EF Relevance: .7, Instructions: 740COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8913d0cb95a35e3f11d6a34b1aa38402a8d9bb657bdf33a7edb0b62d614ee52d
                      • Instruction ID: 7e93bd355d09ac97a08f943b08ee52e08390af01f23df747fd19dbf51b1b3ef1
                      • Opcode Fuzzy Hash: 8913d0cb95a35e3f11d6a34b1aa38402a8d9bb657bdf33a7edb0b62d614ee52d
                      • Instruction Fuzzy Hash: 9842B472D1D2868FEB1ADB64CC616A43BA0FF57304F1801BBD549C7193E62CA81ED792
                      Function 00007FFD347D3C5A Relevance: .4, Instructions: 369COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e76e59fee890633496c3b3ee8ee5c7463c4d326f4aaea8ae419dc024b400b75d
                      • Instruction ID: d870f339ec502aca1f432f78433f3a03f26bc887096e38d825e9faaa23fc9a66
                      • Opcode Fuzzy Hash: e76e59fee890633496c3b3ee8ee5c7463c4d326f4aaea8ae419dc024b400b75d
                      • Instruction Fuzzy Hash: 4FD11571A0E6898FE7169B24C8A56A47FF0EF57310F0942FBD089CB1D3DA2C6849D791
                      Function 00007FFD347D91BC Relevance: .4, Instructions: 363COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e84267e0322a044b9bdb92273e6eb6564249eca5c47750286c6333077ee150c2
                      • Instruction ID: fa5d63fed13009e61df65807771b24c2f89dcebeaee2cebe80dec12a2e1e6320
                      • Opcode Fuzzy Hash: e84267e0322a044b9bdb92273e6eb6564249eca5c47750286c6333077ee150c2
                      • Instruction Fuzzy Hash: BCC1D3B190E3C18FD3565A3488A51A57FF0EF47324F0941EED4C9CB1A3E92C684AD7A2
                      Function 00007FFD347D1AA9 Relevance: .3, Instructions: 336COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6ecd3290d22266060f1919a1241d14e61af701a3fb1d4a800bd52999b61a32ff
                      • Instruction ID: 0359e2f29ec55b3a405699ea9e27652a6715ffca124956adc4a62c26b99e7b07
                      • Opcode Fuzzy Hash: 6ecd3290d22266060f1919a1241d14e61af701a3fb1d4a800bd52999b61a32ff
                      • Instruction Fuzzy Hash: CBD10B70A19A1D8FDB94EF18C8A9BA9B3B1FF59301F5001E9D00DD7296CE75A981CF40
                      Function 00007FFD347E44A0 Relevance: .2, Instructions: 185COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2dcc34ed5f2a84bebaf8eebb43f4b2fae06aebfda0ef7ad3807e72d430ff09a2
                      • Instruction ID: 743e415284d5853a091521435ce0bea7db388d73ac1af6d6451696f7ee316ef7
                      • Opcode Fuzzy Hash: 2dcc34ed5f2a84bebaf8eebb43f4b2fae06aebfda0ef7ad3807e72d430ff09a2
                      • Instruction Fuzzy Hash: BD21D2B2A0D6C98FEB55DF5888A06A97FA0FF16200F0802FBD558C7192C92C6995D7D1
                      Function 00007FFD347D2CFA Relevance: .2, Instructions: 183COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f0da783bc95853b9494c4832af2adf7c7f7caa2eafd3ce6bcc078220a9b91bcc
                      • Instruction ID: d2448c58af2fa68da1ceec2bf5e4d8cb350064982bc0aa9109a534bcf1d6335c
                      • Opcode Fuzzy Hash: f0da783bc95853b9494c4832af2adf7c7f7caa2eafd3ce6bcc078220a9b91bcc
                      • Instruction Fuzzy Hash: 53511A62B1D6D65FE703A76CDCB41E9BF71EF93261B0501B3D285CA093D918240AC7E1
                      Function 00007FFD347D2CF8 Relevance: .2, Instructions: 179COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a4a6731479ca6b46c65d9573ce4b7c19ede8bfa540759eca379470d2a4215e71
                      • Instruction ID: b57f51b82ee3e89b3749083e94f2140c02fadc6f07b5c6c1eb447746c3af56d0
                      • Opcode Fuzzy Hash: a4a6731479ca6b46c65d9573ce4b7c19ede8bfa540759eca379470d2a4215e71
                      • Instruction Fuzzy Hash: 72512A62B1D6D65FE703A76C9CB41E9BF71FF93211B0901B3D285CA093DA18241AC7E1
                      Function 00007FFD347DA923 Relevance: .2, Instructions: 170COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 983b7856fbdb016e01b4a5475df8cdf3a62dd13580f11afad7bbfd449b81a2ee
                      • Instruction ID: 64af2fd63e77e79a19e284ddb0859d2ba66157d0c4894666e33472b206d442dd
                      • Opcode Fuzzy Hash: 983b7856fbdb016e01b4a5475df8cdf3a62dd13580f11afad7bbfd449b81a2ee
                      • Instruction Fuzzy Hash: 9F512861A1E6898FE3569B2888A45757BE0FF57210F0A42BBD089C71E3DD1CBC099392
                      Function 00007FFD347D9D09 Relevance: .2, Instructions: 161COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: babbb2421463182e3e4e90cdb14c0019a71f9efef73cff4178ff9771ca609a3b
                      • Instruction ID: 8d95836f0dcc4dc4c74061208e40f9b4816788546f5eb2874183530b9ad38d5e
                      • Opcode Fuzzy Hash: babbb2421463182e3e4e90cdb14c0019a71f9efef73cff4178ff9771ca609a3b
                      • Instruction Fuzzy Hash: 2C5116B161E3C58FD31A9B6888A11A57FE0EF47310F1542FED48ACB193E52C6C0AD792
                      Function 00007FFD347D8021 Relevance: .2, Instructions: 156COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 55a13c37eb66dd899648a226b35c0b17689f939f1bf2d7b9a33d35994a48b2cd
                      • Instruction ID: 4595a4f204d5ad8071aa848d0b71b526f8ab2399b5be5ebf9bb4a77c25fd2982
                      • Opcode Fuzzy Hash: 55a13c37eb66dd899648a226b35c0b17689f939f1bf2d7b9a33d35994a48b2cd
                      • Instruction Fuzzy Hash: DE51A3B1A1924ACFDB58DF58C891AFA73A1FF5A300F110539D919D3291DA38B84ACBD1
                      Function 00007FFD347D9038 Relevance: .2, Instructions: 156COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 992803a3d5f0caa5a403be7106f96387cc2a739f2b90aa3a3eab244202fbc1d5
                      • Instruction ID: a284628a847313660419b9cf51c1139dfc914a3b43e827ade1a8afe17667f153
                      • Opcode Fuzzy Hash: 992803a3d5f0caa5a403be7106f96387cc2a739f2b90aa3a3eab244202fbc1d5
                      • Instruction Fuzzy Hash: 69418C9271E6894FE759962C98A42713BE1DB87210F0842FFD189C7193EC0EAC4683D1
                      Function 00007FFD347D818D Relevance: .2, Instructions: 153COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f05619d31e0c0e27106ba9dbf651ee2db05ee962ceb6bae4b2dc767b60c059ff
                      • Instruction ID: de4293c9b352f9c389329b14f9b7a59c71a0bae78a0d327cc6bf9b843b27955e
                      • Opcode Fuzzy Hash: f05619d31e0c0e27106ba9dbf651ee2db05ee962ceb6bae4b2dc767b60c059ff
                      • Instruction Fuzzy Hash: 3C412D70A1960E8FDB48DF58D8919FEB7B1FF5A300F511129E41AA3291CA38B856CB80
                      Function 00007FFD347D2D38 Relevance: .2, Instructions: 151COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ba42e9dc35d5af4476a4c52bf20da7f53b54a582c69b11e93066ea72926d3201
                      • Instruction ID: b8048a6219b1eb9905a80a108aaae8204c90c1a00ba54a098d9127d0264cd110
                      • Opcode Fuzzy Hash: ba42e9dc35d5af4476a4c52bf20da7f53b54a582c69b11e93066ea72926d3201
                      • Instruction Fuzzy Hash: 40410762B1D6969FE713A76C9CB51E9BF60EF93211B0401B3D289C6093DD18241AC7D1
                      Function 00007FFD347D2D58 Relevance: .1, Instructions: 137COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e5f81d82baff37dc59907e90ddf2abe65abba528a983f35f48c7f69212247c50
                      • Instruction ID: 28a6e6dab52c169a3fcfe2c900f5896f0a75d8cf53bdd36e61c124eb21c9591e
                      • Opcode Fuzzy Hash: e5f81d82baff37dc59907e90ddf2abe65abba528a983f35f48c7f69212247c50
                      • Instruction Fuzzy Hash: 8141F5A2B1D6965FE752A7689CB51E9BF70FF93211B0401B3D289D6083DD28281B87D1
                      Function 00007FFD347D7042 Relevance: .1, Instructions: 130COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6a96fe4013c87440dde64a97e6468e479eca59c8dc06510a5b3dc26cabe960d0
                      • Instruction ID: dd45fb314969dbbc22e2a98fa92ff29a799e2383e51f083210a7d7eabc04cf11
                      • Opcode Fuzzy Hash: 6a96fe4013c87440dde64a97e6468e479eca59c8dc06510a5b3dc26cabe960d0
                      • Instruction Fuzzy Hash: 1941E47191D7858FD31A9B248CA55A57BF0EF47314F1902FFD08ACB0A3E61DA846C792
                      Function 00007FFD347D7D0D Relevance: .1, Instructions: 126COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6489bd565d181d2d5adaea905882f7cfd801a1caa32cbe80e043481588a32710
                      • Instruction ID: b168e89d4d9bf462334c69a50c52536127494898810dab515819888c1802b93e
                      • Opcode Fuzzy Hash: 6489bd565d181d2d5adaea905882f7cfd801a1caa32cbe80e043481588a32710
                      • Instruction Fuzzy Hash: 5D411971918A5D8FDF44EF58D8A59EDBBF4FF59300F00016AE809E3292DB38A955CB81
                      Function 00007FFD347D2D78 Relevance: .1, Instructions: 119COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 01c7cde2a49c77ae7336fad80aa405b9fe40f06182480cf40a7cbe7713892f8a
                      • Instruction ID: 316708c9d070611e1c505e2af4305b6384eb8947996d5f6cb9752fe0950a5f31
                      • Opcode Fuzzy Hash: 01c7cde2a49c77ae7336fad80aa405b9fe40f06182480cf40a7cbe7713892f8a
                      • Instruction Fuzzy Hash: F3312762B1D68A9FE752A7689CB51E9BF70FF93310F0401B6D289D2083DD28381B87D1
                      Function 00007FFD347D4B1A Relevance: .1, Instructions: 112COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 78c0b0b98964cc0f11e55673d25d27b958e56c5ff8c7356bef7d3e8ddc7ba36a
                      • Instruction ID: e4df883cbd854d7da1829e5c8fc9b95d501cf51604aec022f4154ddcdfd3115d
                      • Opcode Fuzzy Hash: 78c0b0b98964cc0f11e55673d25d27b958e56c5ff8c7356bef7d3e8ddc7ba36a
                      • Instruction Fuzzy Hash: 6831A06061D7C58FD30A9B2488B5274BFE1EF53311F0942FED58ACA1E3E92C6949C792
                      Function 00007FFD347D74B6 Relevance: .1, Instructions: 111COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7ce6faa66785edeaf7033d5f06ecefb5bfbd804c4c1b1d2d5f35d3a29ae72a6a
                      • Instruction ID: 066efebac9b3d5836c90b63a33516fe6d664ac71efa0245a75cd23680cb17981
                      • Opcode Fuzzy Hash: 7ce6faa66785edeaf7033d5f06ecefb5bfbd804c4c1b1d2d5f35d3a29ae72a6a
                      • Instruction Fuzzy Hash: 1B31A33050D3C58FD3276B7498616A67FB4EF47310F0A42EBD489CB1A3E65C684AC7A2
                      Function 00007FFD347D2D98 Relevance: .1, Instructions: 104COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0b9e766541c2ad90124133045be766865b4c773f6dc2849e7d1341e0273d77b2
                      • Instruction ID: eee6a44ec4e8b46f430ecad81ab2c4843390f725ea96998f819317b7eaba795f
                      • Opcode Fuzzy Hash: 0b9e766541c2ad90124133045be766865b4c773f6dc2849e7d1341e0273d77b2
                      • Instruction Fuzzy Hash: B7310962F1D68A9FE752A76888751EDBB70FF93310F0401B6D549D6183DD28381A87D1
                      Function 00007FFD347D58D6 Relevance: .1, Instructions: 103COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3c3698233dd15fbd2e04e6e8f595b017cc4ede50214ac582d2465dc9deabea64
                      • Instruction ID: bb39ccbdd9a9be6de585696e9bfb20af9f82fc9f77b8caebe018666e03790925
                      • Opcode Fuzzy Hash: 3c3698233dd15fbd2e04e6e8f595b017cc4ede50214ac582d2465dc9deabea64
                      • Instruction Fuzzy Hash: 3C31C861F19A4ACFE7E8DA5884A0678B7A2EF83340F5481B9D14DD3197DD38BC49D780
                      Function 00007FFD347D29FA Relevance: .1, Instructions: 97COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: adfa748c95bcbda97d1ba425a3014fad0a2d50a8efe26a53f56712b41ace35b4
                      • Instruction ID: 344f6753f712c7765b8c2151f35c0cfc0991f16abeedcf3a17f8541daedc9813
                      • Opcode Fuzzy Hash: adfa748c95bcbda97d1ba425a3014fad0a2d50a8efe26a53f56712b41ace35b4
                      • Instruction Fuzzy Hash: 79315517A0DAA256D23277FCB4B10EF7FA4DF4267970C45B7D2C85C0939D1860AAC6D4
                      Function 00007FFD347D7298 Relevance: .1, Instructions: 97COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e92dea903c51585764c6fd2d15ac26d56191511a6b2c19603a11a57c686805e9
                      • Instruction ID: 21d3621477d9e141210e58d66941283f424d0296f40451305fa8de77e0e92cc0
                      • Opcode Fuzzy Hash: e92dea903c51585764c6fd2d15ac26d56191511a6b2c19603a11a57c686805e9
                      • Instruction Fuzzy Hash: 4031CE52A5E7C28FE35746348C751A43FB19F93210B1D82FBD896CB5E7E90C680AD362
                      Function 00007FFD347D721D Relevance: .1, Instructions: 94COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c04944f23f45ec466ee80950a1b39c33b3025acc717ec3a18f0055cc7ff32772
                      • Instruction ID: dbd9d4b33637ca470426082b35051fc88f273d806673caae405d97ec2d13e9e2
                      • Opcode Fuzzy Hash: c04944f23f45ec466ee80950a1b39c33b3025acc717ec3a18f0055cc7ff32772
                      • Instruction Fuzzy Hash: 5E318F51A4E7C28FE31757348CB50A07FB0AF53210B1982EBD486CB5E7E51C680BD362
                      Function 00007FFD347DE5DE Relevance: .1, Instructions: 90COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 493097fb76ac82b20395964481d40a8250530bf5f720c6f7908b42ff10b3f70b
                      • Instruction ID: beab06768fabf4992ce7f5b7ac57bcb63b7fcc5bf17cd50976a3640d025c5623
                      • Opcode Fuzzy Hash: 493097fb76ac82b20395964481d40a8250530bf5f720c6f7908b42ff10b3f70b
                      • Instruction Fuzzy Hash: ED31D8B0E2A91DCFEB95DBA8C8A46ADB7B5FF5A300F504179D10DE3291DA3868449B40
                      Function 00007FFD347D17B6 Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3a3420848c572ff78dddb997be1a7c48e6bf68e3d880635cd4dc629e78e0fb2e
                      • Instruction ID: 4d9e76b471b765bc69c33bc1e70bfc5f4d516565b05c156fd65e36a0c4646b01
                      • Opcode Fuzzy Hash: 3a3420848c572ff78dddb997be1a7c48e6bf68e3d880635cd4dc629e78e0fb2e
                      • Instruction Fuzzy Hash: 0831C274A0AA1C8FDB94EF18C894BA877F1FB69305F5041AAD00DE7252CA76AD85CF40
                      Function 00007FFD347D4BCD Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3e5176455b5f10b305d0803607bc06b8dd23a44a06f7a17281ce0476cc4ee7da
                      • Instruction ID: 6198c0d849a870b1f8581ae51707643fb740a9ceeee0da897854e63cdd905270
                      • Opcode Fuzzy Hash: 3e5176455b5f10b305d0803607bc06b8dd23a44a06f7a17281ce0476cc4ee7da
                      • Instruction Fuzzy Hash: 7A31BFA0A1E3C68FD3079B3488642647FA1AF53214F0A82FBD4C9CB0A3E51D5849C362
                      Function 00007FFD347DAD9D Relevance: .1, Instructions: 86COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e212d478ec8565b667fd09f521308a9f8c788ea48b040920bc0771a4f5021b8c
                      • Instruction ID: 08bffd858b122b41f78c35fbd3164fa389f99a249dd2ae6c32c7489031312d91
                      • Opcode Fuzzy Hash: e212d478ec8565b667fd09f521308a9f8c788ea48b040920bc0771a4f5021b8c
                      • Instruction Fuzzy Hash: BC21D070709A8E8BDB15DF18C8A59BAB3E0FF56300F044766D41DC7282DB38B454D780
                      Function 00007FFD347D30C8 Relevance: .1, Instructions: 85COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a3619a6513e8c91a1dc4de89d4faf935789ac7b31a04216322797a42962a146d
                      • Instruction ID: 7f80b4dff62a7cafa174ae2728b21457dc3c092f444bc437892608e3b0311e6a
                      • Opcode Fuzzy Hash: a3619a6513e8c91a1dc4de89d4faf935789ac7b31a04216322797a42962a146d
                      • Instruction Fuzzy Hash: 602129B2B19B8D4FE764DE1C88682A53BE1EBAF300F00417BE409D3292CD286C0997C1
                      Function 00007FFD347D725D Relevance: .1, Instructions: 83COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4a4b6959b873d87a581802259004207099f3fccf5e6d021c98ed753eaab96261
                      • Instruction ID: 9ebf14b318a3881f3adaea4c71af9444e193f137f3cb3e5ddb38a9abf9a31185
                      • Opcode Fuzzy Hash: 4a4b6959b873d87a581802259004207099f3fccf5e6d021c98ed753eaab96261
                      • Instruction Fuzzy Hash: B0216D92A4E7C24FE31357744C651A07FB09F53210B1A42EBD485CB4E3E51D680BD362
                      Function 00007FFD347DE5C3 Relevance: .1, Instructions: 77COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b1b339725fdc3423adb1fdfb42a819f02bc89ce525bca52b9981804c9fec6a49
                      • Instruction ID: b272575888b6f8cbca8a393437c1b607646f43634079b3c584fb3a7902d25b8c
                      • Opcode Fuzzy Hash: b1b339725fdc3423adb1fdfb42a819f02bc89ce525bca52b9981804c9fec6a49
                      • Instruction Fuzzy Hash: 63211A71A1991C8FDF94EB5CC895BECB7B1FFA9311F00026AD00DE3295CA35A885CB80
                      Function 00007FFD347D72EA Relevance: .1, Instructions: 71COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 95b3906c5a2c699fe0872c874f20891a156e97c32d39769d8c3b77a9b8e8bf90
                      • Instruction ID: 22b02e9a14750fe7641d82502fb5a4f898ca692a2a29d5eb0563b44a6f22c19c
                      • Opcode Fuzzy Hash: 95b3906c5a2c699fe0872c874f20891a156e97c32d39769d8c3b77a9b8e8bf90
                      • Instruction Fuzzy Hash: 3C21239295E3C28FE3534374486A0A07FB09F53214B1A82EBD9C9CB4E3E50D6C0BD362
                      Function 00007FFD347D72D6 Relevance: .1, Instructions: 71COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 91eb67c3e6cd1e06bffbc1f03bb07a07a66f9c64036be6e7aa20c051f37573ff
                      • Instruction ID: 54d21a5ca4ae8fb0a69d46172bc423be1c3f886fea6c3397fe7131fd401a45ad
                      • Opcode Fuzzy Hash: 91eb67c3e6cd1e06bffbc1f03bb07a07a66f9c64036be6e7aa20c051f37573ff
                      • Instruction Fuzzy Hash: 2221349295E3C28FE357477448760A07FB0AF5321471A82EBD4D9CB4E7E51D680BD362
                      Function 00007FFD347D3402 Relevance: .1, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0ed32ea6c21f0fd3f5df88c8b59508ac81a505181af18600158e36a87622b451
                      • Instruction ID: 101bdd550040b786bc5435cd5c721209fee511376a9b6702d19187d0339daf60
                      • Opcode Fuzzy Hash: 0ed32ea6c21f0fd3f5df88c8b59508ac81a505181af18600158e36a87622b451
                      • Instruction Fuzzy Hash: 0C11E4B1E296098BE780DF4884A11A9B7E1FF4A300F544279E54DD7186CA38BC8AD3C0
                      Function 00007FFD347D2928 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6ae198e02bb52aea6a04b69d12c84ba97da31ea7f1aa22ad12f4df028f82c06f
                      • Instruction ID: 4cc0419f210958ff4dd5175de6b22ac9d9ba23efbbac98555f8c42877778ab5f
                      • Opcode Fuzzy Hash: 6ae198e02bb52aea6a04b69d12c84ba97da31ea7f1aa22ad12f4df028f82c06f
                      • Instruction Fuzzy Hash: B701220BB2E9A25AE21076AC38B51EA3F50EF87225B484173E18CC908BEC1C745B83D4
                      Function 00007FFD347D3192 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2d0df3f6569353a5f333accfe3d841cdb75beafcf40096d769991aea1ce92ce5
                      • Instruction ID: 7b6e330070984d64e9e5f54a589035d57ae6fe9eedb6211ea805dc9b30b1d907
                      • Opcode Fuzzy Hash: 2d0df3f6569353a5f333accfe3d841cdb75beafcf40096d769991aea1ce92ce5
                      • Instruction Fuzzy Hash: 1801DBA2F2DD168BF765561858A12ADB3D1EB9F750F04027ED15EC32C2DD2D3C4652C0
                      Function 00007FFD347D7305 Relevance: .1, Instructions: 61COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ce7613c19ac943507626bc6b3f20dc99b2630e05608b075c70d3a72814d9cc3f
                      • Instruction ID: 152a6e31adb4ec299a3d1b1b5897a0d41264d63be6821fa911f74bfaca5f4986
                      • Opcode Fuzzy Hash: ce7613c19ac943507626bc6b3f20dc99b2630e05608b075c70d3a72814d9cc3f
                      • Instruction Fuzzy Hash: 3F01D193B0E6860EF385416D68660F07BD0EB97234B4442BAD589C71A7E81A384B5391
                      Function 00007FFD347D08ED Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a4e1b54a34c122fba3a6e5e1b23d067633ce5c5e80f277b7c6744e3d5606a098
                      • Instruction ID: a1f3937c9372dec304d68d4348193e743c468bdebe15fd179d4da9cd12a18f0e
                      • Opcode Fuzzy Hash: a4e1b54a34c122fba3a6e5e1b23d067633ce5c5e80f277b7c6744e3d5606a098
                      • Instruction Fuzzy Hash: 7F11B170508A8E8FCB88DF18C8987EAB7A0FF5A304F1406BAD81CD7692DB35E554C780
                      Function 00007FFD347D3DB6 Relevance: .1, Instructions: 51COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 630a6dff3bad9f9cb16dd3e6858ee349f24107fdee9b43074cdc46e87903dc10
                      • Instruction ID: edb62c8badfdd6c4138da2731bbd5caeb094a8092d4c75e9ffb719385035f61b
                      • Opcode Fuzzy Hash: 630a6dff3bad9f9cb16dd3e6858ee349f24107fdee9b43074cdc46e87903dc10
                      • Instruction Fuzzy Hash: B20147A3B0E9499FF755E61884B566837D1DB67310B1402BBC41ACB2D2EC1E78098780
                      Function 00007FFD347D28F8 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: acdefa18a9df7634c536a7e2ddab554c69f84e3e8ae0fa4353afc4ff6378ccff
                      • Instruction ID: 7bfcfdd0e1edbc130c970a372373385cb5d5c3862c1f06516feaeea60bf6d027
                      • Opcode Fuzzy Hash: acdefa18a9df7634c536a7e2ddab554c69f84e3e8ae0fa4353afc4ff6378ccff
                      • Instruction Fuzzy Hash: 32014C42B1F6C14BE351A67828E51E53F60CF57224B0801FBD1D9D60C7EC0C740A5394
                      Function 00007FFD347D0852 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dcce3b05b44659ba58c416acf995d59725b3f8669c79e50828faa5da41d67beb
                      • Instruction ID: f6caef8edb25c0c6a99e2a47a9bacc3d1d885b7aabaffbe8bb06a5d89c0df827
                      • Opcode Fuzzy Hash: dcce3b05b44659ba58c416acf995d59725b3f8669c79e50828faa5da41d67beb
                      • Instruction Fuzzy Hash: 510192A2F5F2C69FE712573884B91A97FA0AF57314F0914B3C684C60D3CD1CB8499281
                      Function 00007FFD347D4B6B Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 21ebe0c893d33425d846e18a4cb595b38c8e419d68923f795fbdac95f3502bf6
                      • Instruction ID: 82f259cb21ee7b0dffa470b348a69725230bfd73cad60a22ea96f59053290627
                      • Opcode Fuzzy Hash: 21ebe0c893d33425d846e18a4cb595b38c8e419d68923f795fbdac95f3502bf6
                      • Instruction Fuzzy Hash: ACF0BB303289444FC75CDA0CD8B593873D2EBD9705758066DE487C77C1DD21B902C785
                      Function 00007FFD347D9B91 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 512df8becdf23432b9d14bb0d739ce6f23c58894519e55200dfb088baf0b0aff
                      • Instruction ID: dacfd2876e3e7b20a19199aab5ec232f0ca0043c7e42f3618a708f31c72b2691
                      • Opcode Fuzzy Hash: 512df8becdf23432b9d14bb0d739ce6f23c58894519e55200dfb088baf0b0aff
                      • Instruction Fuzzy Hash: 5A019EF0B196458FE7899B28C4A03A977E1FF8A304F5000ADE14DC73D2CB3CA9099B80
                      Function 00007FFD347DE5AD Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a74f3c83499b43adf720a21054036d414e8f4dda20577ecc81e1f26c011d0097
                      • Instruction ID: b307a7decfd50cbb3e2989fe90458fd0b81356db52ead1e25b81a562fc7f5355
                      • Opcode Fuzzy Hash: a74f3c83499b43adf720a21054036d414e8f4dda20577ecc81e1f26c011d0097
                      • Instruction Fuzzy Hash: 9D012870E2A91DCFDB54DB98C8946BDB7B6FF5A311F105034D10EE7295CA38A844DB40
                      Function 00007FFD347D585B Relevance: .0, Instructions: 40COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b24224777b6337eff7b96012abaf8d629de6ef66b742a3f6e36b84d989981cd6
                      • Instruction ID: 6729cd96546269bbabca93438a444d2c611cfe9fbf6e5b4be24d01c55de3d38c
                      • Opcode Fuzzy Hash: b24224777b6337eff7b96012abaf8d629de6ef66b742a3f6e36b84d989981cd6
                      • Instruction Fuzzy Hash: D4016861E0E285CFE3A5DB6884A0268FBB2AF43200F1481FAC09DD3197CD382889DB41
                      Function 00007FFD347DE603 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b44bc45599182aff9e10e4b5adbcb3aa7d1526759a1ac4e52a1a1c42c4b9b05a
                      • Instruction ID: f63d6a24bdb952dbb899d23db89dbba2d0cd7f5cec589078827668ca6b548d44
                      • Opcode Fuzzy Hash: b44bc45599182aff9e10e4b5adbcb3aa7d1526759a1ac4e52a1a1c42c4b9b05a
                      • Instruction Fuzzy Hash: 27F09070E2E90DCFC755DBA8C8949BDB7B6FF56300F504074D00DEB266CA38A8059B40
                      Function 00007FFD347D9B2A Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cac80358cde8911f419645b201775219f4e14f8d0c2925395c2612a0f3da5063
                      • Instruction ID: 0062c8dc2dd3d7445d6188d9a59ed4cc160bb0b24cf57e2faf8422fba9592bfa
                      • Opcode Fuzzy Hash: cac80358cde8911f419645b201775219f4e14f8d0c2925395c2612a0f3da5063
                      • Instruction Fuzzy Hash: F4F0E5E372E4098BF768E908ACA557473C5E7A7721F15033AC44EC3281EC1CFD0A9A80
                      Function 00007FFD347D37BA Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5f41919f35566b7699997b2ec7550d2660e3d9898bdd10e5fa9f16e35cad09d1
                      • Instruction ID: 0271ad4cbfe1028e499475b102db7ac5e80379d1984fd6ffa93f969942d1fdef
                      • Opcode Fuzzy Hash: 5f41919f35566b7699997b2ec7550d2660e3d9898bdd10e5fa9f16e35cad09d1
                      • Instruction Fuzzy Hash: 32F082D2F2AE4B4BEFE4A57C44F617CA2C2AF4A610B401439950EC72C7DC2DF80662C0
                      Function 00007FFD347DD951 Relevance: .0, Instructions: 26COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a12b2f60849f5973b66b9047c8216de65541243497ad0498c6258c743580bbec
                      • Instruction ID: f27bd23521d485a5bb066f34d3084deeb3a4a7f6e8c1f6c3a99601ae2f5efff6
                      • Opcode Fuzzy Hash: a12b2f60849f5973b66b9047c8216de65541243497ad0498c6258c743580bbec
                      • Instruction Fuzzy Hash: 82E0867285D249CBD3111B5495652E97B20FF47300F4516A6E148850A3EB2D6918C781
                      Function 00007FFD347D3698 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e5c5e6631dd13373ac3ac84cf6a266f1c5649e6c0d1c984865207af431ee6949
                      • Instruction ID: 3f523422041d796c5630a731c50559060f2aef649d30511800b78be2a830483b
                      • Opcode Fuzzy Hash: e5c5e6631dd13373ac3ac84cf6a266f1c5649e6c0d1c984865207af431ee6949
                      • Instruction Fuzzy Hash: 0BF03070E180598AE758E7A480A53BCBBE1EF4A301F244179D54DD72CBDD2D68859790
                      Function 00007FFD347D7638 Relevance: .0, Instructions: 24COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ec69f7b726f262f99b12e5d0aadd8e487478d88bf75669139a8972ce0ad4eff7
                      • Instruction ID: 0d86f00db727a32a5f50369c9eac87f54acf2561547f6cce7996160197400e42
                      • Opcode Fuzzy Hash: ec69f7b726f262f99b12e5d0aadd8e487478d88bf75669139a8972ce0ad4eff7
                      • Instruction Fuzzy Hash: 88E0BF317088098FE760EA0CD494BA533D2EB59321F1546B6D41AC72A5E928EC459781
                      Function 00007FFD347D57AD Relevance: .0, Instructions: 24COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b48ca4946f4acbcc43ed10c2c85b79877603224564e67561969a9f5b829ebf19
                      • Instruction ID: 88947240f0e99aa3b77dbbcf016a79982187fa48469af7eb3df08bc10dd44d2e
                      • Opcode Fuzzy Hash: b48ca4946f4acbcc43ed10c2c85b79877603224564e67561969a9f5b829ebf19
                      • Instruction Fuzzy Hash: 60F0A070B0954BCFE7A0DB08C4A07A9B3A2EF82351F10C3B2C00CD654ADA3869C89FC0
                      Function 00007FFD347DAA95 Relevance: .0, Instructions: 22COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cd468ce743cac1951bbe26e548c004474560453f3c25d991402d2700bd728049
                      • Instruction ID: 26102aea652b149e4238f4fd1e319514d74bdc7e1d808580c67de223b492dc45
                      • Opcode Fuzzy Hash: cd468ce743cac1951bbe26e548c004474560453f3c25d991402d2700bd728049
                      • Instruction Fuzzy Hash: 2CE0E6317148098FEB64EA0CC494E5833D1F765351B150366D415C72A4DE18ED448B80
                      Function 00007FFD347D921A Relevance: .0, Instructions: 20COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 35788334ac0fa25ad63d5df8869115ce7d997c97a37b4bf27c465527c01e7089
                      • Instruction ID: de385387f48f71e179df5fae5960329996cfd6208d2eda113765feb510e8537b
                      • Opcode Fuzzy Hash: 35788334ac0fa25ad63d5df8869115ce7d997c97a37b4bf27c465527c01e7089
                      • Instruction Fuzzy Hash: 4FD05BF272D50547E578581CA4953B973C1DBC6750F00413BE28DC31918C68784615D2
                      Function 00007FFD347D3B1E Relevance: .0, Instructions: 19COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dcc846822547c8d7317fada932e14d54e0c8947a53d4c6bcdecd76d21fb3be21
                      • Instruction ID: 931165eeb2a54f15a6e54baca59d51c3b908eac74fc8bebebffa88095075c6f8
                      • Opcode Fuzzy Hash: dcc846822547c8d7317fada932e14d54e0c8947a53d4c6bcdecd76d21fb3be21
                      • Instruction Fuzzy Hash: 57D05E7470C4058EE728BE14A8A1AB83291E796310F150279E86BC72D6FD2CED5E0AC5
                      Function 00007FFD347DDD9F Relevance: .0, Instructions: 18COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 55d3df29c2bdf654509a06da2bf9979fb83705b1c75f54bc51390d4ee7ff5718
                      • Instruction ID: 4df07b54d8aca57ffb5b5d9b9ae9545bdefe8e40d038a7dabc4ea105bf7a661a
                      • Opcode Fuzzy Hash: 55d3df29c2bdf654509a06da2bf9979fb83705b1c75f54bc51390d4ee7ff5718
                      • Instruction Fuzzy Hash: 40D01730E5A80ECADBB0DB1898607FDB774EB8A211F4000B6811DD2541ED3829989B50
                      Function 00007FFD347D08CA Relevance: .0, Instructions: 16COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 887457bbdda2a4a419438674286be7fab531875d2352245dd248f146a0f6c827
                      • Instruction ID: 987fbb840c793592c7f8dae1032444facd99f950463974f360407bfe43fecbe7
                      • Opcode Fuzzy Hash: 887457bbdda2a4a419438674286be7fab531875d2352245dd248f146a0f6c827
                      • Instruction Fuzzy Hash: 6BD0A930E0840CAFDB40EB98F8508FCB770EF8A300F0021BAD20CD3142CE302A448680
                      Function 00007FFD347D2990 Relevance: .0, Instructions: 15COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 174288989ee557b93ab54de9226109403d3d8d457f74119d539c08be5d3d0bd1
                      • Instruction ID: b90fab5668b0992d25c0855197d64dc34e27887e14e3bb16a05df83d6e57de21
                      • Opcode Fuzzy Hash: 174288989ee557b93ab54de9226109403d3d8d457f74119d539c08be5d3d0bd1
                      • Instruction Fuzzy Hash: 53D01285B2644A42F394612C54AD2B57791EF9B205FE04570A959C22CAEC1CB80B3380
                      Function 00007FFD347D7388 Relevance: .0, Instructions: 15COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f8df27c69b94d1614acb23195eb481a7f25d4741245aad02410e5ec4e882068f
                      • Instruction ID: 161622712a0b706a142e9470bbe1c7c79b34fd47cb9e4c5cbdd1d25ef98489ae
                      • Opcode Fuzzy Hash: f8df27c69b94d1614acb23195eb481a7f25d4741245aad02410e5ec4e882068f
                      • Instruction Fuzzy Hash: 95D0A985B2600602E284251C689D3A122A2EF9B605FA08530BC98C218AEC2CA8072380
                      Function 00007FFD347D524C Relevance: .0, Instructions: 14COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 36088b417658c80451f510a5d2e6a8cf2b6c48e9ef381f002dab2783011ac5d5
                      • Instruction ID: 16f71e232d2f74ec847f0735288f108cd76c13d32fea17205838007835a6a454
                      • Opcode Fuzzy Hash: 36088b417658c80451f510a5d2e6a8cf2b6c48e9ef381f002dab2783011ac5d5
                      • Instruction Fuzzy Hash: 79D0A9A1B6954A8BEB94BA0480A97A8B2A2EBA2300F240060530CD2285E92C7846C240
                      Function 00007FFD347D3678 Relevance: .0, Instructions: 13COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aba72b5cdc39c79fbe5e71918ac6fa8fdd47dbf4bbc888394b187cefc8d0d0f3
                      • Instruction ID: c164847be455156aba9a59b99a666e35bbbfd75cd89bac181953503fa0b9dee6
                      • Opcode Fuzzy Hash: aba72b5cdc39c79fbe5e71918ac6fa8fdd47dbf4bbc888394b187cefc8d0d0f3
                      • Instruction Fuzzy Hash: A2C01253B3D84E8FEBA4DA089CA86B92392FB59241B200135955DC32A5DD2CB8129350
                      Function 00007FFD347D929F Relevance: .0, Instructions: 9COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2d453d83a83a9bb38304253e9ac06c33ec64d34a667128d2c7c25d05aa48962b
                      • Instruction ID: aba20866a008506b6cc9f3fcd77c11f7e7f53261c11e8160361ceb46cb91ba73
                      • Opcode Fuzzy Hash: 2d453d83a83a9bb38304253e9ac06c33ec64d34a667128d2c7c25d05aa48962b
                      • Instruction Fuzzy Hash: C7B092CBBBE84646E4AC440C34E50A562D2E78A24865846A4A21DC21AF9C0C78166190

                      Non-executed Functions

                      Function 00007FFD347D2C88 Relevance: .4, Instructions: 370COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 50aa923f4ba990bdf492ec290b7a7bda5dd05653d5edbb32138b6fdf0a10ad6a
                      • Instruction ID: ca6c55040e6d82169b25e28a8159aa52e9e64b204fcdc430bc7ba4fea4d2e061
                      • Opcode Fuzzy Hash: 50aa923f4ba990bdf492ec290b7a7bda5dd05653d5edbb32138b6fdf0a10ad6a
                      • Instruction Fuzzy Hash: EEC1E47190E3C44FE3269A249CA55A17FB4EF47314F1A41EFD4CAC70A3E91C684AD7A2
                      Function 00007FFD347D2BE8 Relevance: .3, Instructions: 340COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2e1b6a95f6fa80c81638316419973d8e1dfa0112f2583d4debf4ad999455fc1a
                      • Instruction ID: 8228fd80bf3dfdcedaaea92cd7babbaa306ffe3a178b367fd838e7cd50f85fd9
                      • Opcode Fuzzy Hash: 2e1b6a95f6fa80c81638316419973d8e1dfa0112f2583d4debf4ad999455fc1a
                      • Instruction Fuzzy Hash: 25B1F77090D3898FD756DB68D8A56A97FF0FF47310F0642EAD099C71A3D628680ACB91
                      Function 00007FFD347D9B4C Relevance: .3, Instructions: 338COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2136766270.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd347d0000_Quotation For Inverter.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4e35485822e701c3980276553a6737cd5ea98624ba714eb3b0b39a8f6d7980a4
                      • Instruction ID: 24eb4e3e5d99af39fbbcc016ddfe67d5b431f7a11bbb5a2bdbfbfd93978183d3
                      • Opcode Fuzzy Hash: 4e35485822e701c3980276553a6737cd5ea98624ba714eb3b0b39a8f6d7980a4
                      • Instruction Fuzzy Hash: 24B1C17150E3C58FD3169B748CA55657FB0EF47314B1A42EFD489CB0A3E628A80AD7A2

                      Execution Graph

                      Execution Coverage:7.9%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:6
                      Total number of Limit Nodes:0
                      execution_graph 7604 7ffd347ff548 7605 7ffd347ff551 SetThreadContext 7604->7605 7607 7ffd34808549 7605->7607 7600 7ffd347ff4ed 7601 7ffd347ff4f1 WriteProcessMemory 7600->7601 7603 7ffd34808341 7601->7603

                      Executed Functions

                      Function 00007FFD347FF4ED Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 164 7ffd347ff4ed-7ffd34808278 169 7ffd348082a0-7ffd3480833f WriteProcessMemory 164->169 170 7ffd3480827a-7ffd3480829d 164->170 171 7ffd34808341 169->171 172 7ffd34808347-7ffd3480839f 169->172 170->169 171->172
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2162260836.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ffd347f0000_KaCTPSocApHQCE.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 928ebd14445224a3b41a9f2134da971809a4bca473947730a4cbb0247bd80b06
                      • Instruction ID: f27ad13a5787b596968970bcf7572fb2006615d4983c849e7a2ddea137720ffd
                      • Opcode Fuzzy Hash: 928ebd14445224a3b41a9f2134da971809a4bca473947730a4cbb0247bd80b06
                      • Instruction Fuzzy Hash: AA61F270A08A1C8FDB98DF58C895BE9BBF1FB6A310F1051AE904DE3251DB74A985CF40
                      Function 00007FFD347FF548 Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 174 7ffd347ff548-7ffd34808547 SetThreadContext 179 7ffd3480854f-7ffd34808599 174->179 180 7ffd34808549 174->180 180->179
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2162260836.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_7ffd347f0000_KaCTPSocApHQCE.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fb45faedcf335c9e117cb307275d0a2a757a33a5f67f6b6e69fda1e7cd1d3b07
                      • Instruction ID: d3847dc4f45a3ca0f8a54b8ce8270e8849188f4d5d879e21f4f6147c29f1ad48
                      • Opcode Fuzzy Hash: fb45faedcf335c9e117cb307275d0a2a757a33a5f67f6b6e69fda1e7cd1d3b07
                      • Instruction Fuzzy Hash: D1412A70A08A5C8FDB94DF98C885BEDBBF1FB59310F10426ED049E3256DB74A985CB40