Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe

Overview

General Information

Sample name:RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe
Analysis ID:1451544
MD5:d617ed4ea343a0460e10f0e8a438cfeb
SHA1:ecc4649d9da615a3f10621e71451fbc4efe066b1
SHA256:1ab3ec9401912cfc5ff446a0e2ce4e2510799d014e573f6d75cd32f6367818ab
Tags:exeFormbook
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Disables UAC (registry)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" MD5: D617ED4EA343A0460E10F0E8A438CFEB)
    • conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7876 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 1724 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • RegAsm.exe (PID: 7924 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 8080 cmdline: C:\Windows\system32\WerFault.exe -u -p 7312 -s 1144 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000002.2510069403.0000000002DE2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000002.2510069403.0000000002D92000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000B.00000002.2510069403.0000000002D92000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              11.2.RegAsm.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                11.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  11.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca10df40.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 16 entries

                    Sigma Signatures

                    Networking

                    barindex
                    Sigma detected: RegAsm connects to smtp port
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.230.214.164, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 7924, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49702

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe", ParentImage: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, ParentProcessId: 7312, ParentProcessName: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -Force, ProcessId: 7876, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe", ParentImage: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, ParentProcessId: 7312, ParentProcessName: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -Force, ProcessId: 7876, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe", ParentImage: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, ParentProcessId: 7312, ParentProcessName: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -Force, ProcessId: 7876, ProcessName: powershell.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}
                    Multi AV Scanner detection for submitted file
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeReversingLabs: Detection: 28%
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeVirustotal: Detection: 26%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe PID: 7312, type: MEMORYSTR
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb00.0 source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD28A0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: indoC:\Windows\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1401521888.000000E50E102000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD28A0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: 0C:\Windows\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1401521888.000000E50E102000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb=G source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2926000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Core.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: symbols\dll\System.pdb.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1401521888.000000E50E102000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.PDB89 source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402060140.0000023AB8275000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2926000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2926000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.pdbSystem.Core.ni.dll source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD28A0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb28t source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2926000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: assembly\GAC_MSC:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1401521888.000000E50E102000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2901000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2926000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.pdb$B source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2926000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb` source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbexe source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD28A0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402060140.0000023AB8203000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.pdbok source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2901000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbb* source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402060140.0000023AB8275000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2901000.00000004.00000020.00020000.00000000.sdmp, WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\dll\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2901000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32bdX source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2901000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Drawing.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402060140.0000023AB8275000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbTg source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2901000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.pdbSystem.pdbpdbtem.pdbGAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1401521888.000000E50E102000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.pdbh source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER987F.tmp.dmp.14.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca10df40.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.10:49702 -> 185.230.214.164:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: COMPUTERLINEComputerlineSchlierbachSwitzerlandCH COMPUTERLINEComputerlineSchlierbachSwitzerlandCH
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.10:49702 -> 185.230.214.164:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: smtp.zoho.eu
                    Source: RegAsm.exe, 0000000B.00000002.2509923111.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.0000000006050000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2509923111.0000000001288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
                    Source: RegAsm.exe, 0000000B.00000002.2509923111.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.0000000006050000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2509923111.0000000001288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p
                    Source: RegAsm.exe, 0000000B.00000002.2509923111.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.0000000006050000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2509923111.0000000001288000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.00000000060BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.00000000060A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
                    Source: RegAsm.exe, 0000000B.00000002.2510069403.0000000002D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1403203192.0000023ACA001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2507112723.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: RegAsm.exe, 0000000B.00000002.2509923111.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.0000000006050000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2509923111.0000000001288000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.00000000060BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.00000000060A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                    Source: RegAsm.exe, 0000000B.00000002.2510069403.0000000002D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegAsm.exe, 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002F6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.zoho.eu
                    Source: RegAsm.exe, 0000000B.00000002.2509923111.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.0000000006050000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2509923111.0000000001288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://status.thawte.com0:
                    Source: Amcache.hve.14.drString found in binary or memory: http://upx.sf.net
                    Source: RegAsm.exe, 0000000B.00000002.2509923111.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.0000000006050000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2509923111.0000000001288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1403203192.0000023ACA001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2507112723.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: RegAsm.exe, 0000000B.00000002.2509923111.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.0000000006050000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2509923111.0000000001288000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.00000000060BB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.00000000060A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, gmBpn1ecBmQ.cs.Net Code: cTytqmH
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca10df40.0.raw.unpack, gmBpn1ecBmQ.cs.Net Code: cTytqmH

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca10df40.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca10df40.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca001a78.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C19362E00_2_00007FF7C19362E0
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C193194D0_2_00007FF7C193194D
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C193A9500_2_00007FF7C193A950
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C19361900_2_00007FF7C1936190
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C193EBBA0_2_00007FF7C193EBBA
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C19338980_2_00007FF7C1933898
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C193CFB40_2_00007FF7C193CFB4
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C19467E80_2_00007FF7C19467E8
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C193D7790_2_00007FF7C193D779
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C194071A0_2_00007FF7C194071A
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C1941F1F0_2_00007FF7C1941F1F
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C1A200000_2_00007FF7C1A20000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_010E41F011_2_010E41F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_010E4AC011_2_010E4AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_010ECEA011_2_010ECEA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_010E3EA811_2_010E3EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0665B5B811_2_0665B5B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_066533F811_2_066533F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0665004011_2_06650040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_06659E2811_2_06659E28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0665EA6811_2_0665EA68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_06655B9811_2_06655B98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0665912811_2_06659128
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0665AED811_2_0665AED8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_06E66A1011_2_06E66A10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_06E6118C11_2_06E6118C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_06E61FF611_2_06E61FF6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_06E6004011_2_06E60040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_06E6000611_2_06E60006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0665000611_2_06650006
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7312 -s 1144
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeStatic PE information: No import functions for PE file found
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1403203192.0000023ACA001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIxoquxasuxakedomicoH vs RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1403203192.0000023ACA001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7bc3a901-84f9-4a81-8277-20a61843655f.exe4 vs RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000000.1252851961.0000023AB800A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAmaxuqeB vs RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeBinary or memory string: OriginalFilenameAmaxuqeB vs RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe
                    Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca10df40.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca10df40.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca001a78.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2901000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbTg
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402060140.0000023AB8203000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                    Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@9/11@2/2
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7312
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjisuyec.ouf.ps1Jump to behavior
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeReversingLabs: Detection: 28%
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeVirustotal: Detection: 26%
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeFile read: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe"
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7312 -s 1144
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb00.0 source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD28A0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: indoC:\Windows\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1401521888.000000E50E102000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD28A0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: 0C:\Windows\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1401521888.000000E50E102000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb=G source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2926000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Core.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: symbols\dll\System.pdb.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1401521888.000000E50E102000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.PDB89 source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402060140.0000023AB8275000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2926000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2926000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.pdbSystem.Core.ni.dll source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD28A0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb28t source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2926000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: assembly\GAC_MSC:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1401521888.000000E50E102000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2901000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Configuration.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2926000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.pdb$B source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2926000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb` source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Xml.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbexe source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD28A0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402060140.0000023AB8203000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.pdbok source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2901000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbb* source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402060140.0000023AB8275000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: mscorlib.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2901000.00000004.00000020.00020000.00000000.sdmp, WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\dll\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2901000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32bdX source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2901000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Drawing.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402060140.0000023AB8275000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbTg source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1404704607.0000023AD2901000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.pdbSystem.pdbpdbtem.pdbGAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1401521888.000000E50E102000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Drawing.pdbh source: WER987F.tmp.dmp.14.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER987F.tmp.dmp.14.dr
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeStatic PE information: 0x98EF0654 [Sat Apr 22 18:39:16 2051 UTC]
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C1936EB9 push eax; retf 0_2_00007FF7C1936ECE
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C19300BD pushad ; iretd 0_2_00007FF7C19300C1
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeCode function: 0_2_00007FF7C1A20000 push esp; retf 4810h0_2_00007FF7C1A20312

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe PID: 7312, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmp, RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1403203192.0000023ACA001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2507112723.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeMemory allocated: 23AB8340000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeMemory allocated: 23AD1FF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 10E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2D60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4D60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6414Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3212Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2669Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7186Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8128Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3752Thread sleep count: 2669 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99872s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99749s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3752Thread sleep count: 7186 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99495s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99265s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99148s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -98881s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -98750s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -98640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -98531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -98421s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -98312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -98203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -98093s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -97984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -97875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -97765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -97656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -97546s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -97437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -97328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -97218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -97109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -97000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -96890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -96781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -96672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -96562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -96452s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -96343s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -96234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -96125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -96015s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -95906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -95795s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -95687s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -95578s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -95468s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -95359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -95250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99937s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99828s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99718s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99390s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5860Thread sleep time: -99163s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99872Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99749Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99495Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99148Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98881Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96452Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95795Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99163Jump to behavior
                    Source: Amcache.hve.14.drBinary or memory string: VMware
                    Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.14.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.14.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.14.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.14.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.14.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.14.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: RegAsm.exe, 0000000B.00000002.2513997940.0000000006050000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Amcache.hve.14.drBinary or memory string: vmci.sys
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin`
                    Source: RegAsm.exe, 0000000B.00000002.2507112723.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Amcache.hve.14.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.14.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
                    Source: Amcache.hve.14.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.14.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.14.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.14.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: RegAsm.exe, 0000000B.00000002.2507112723.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: Amcache.hve.14.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_010E70B0 CheckRemoteDebuggerPresent,11_2_010E70B0
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -Force
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -ForceJump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 442000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CA0008Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeQueries volume information: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Disables UAC (registry)
                    Source: C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                    Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.14.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.14.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.14.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca10df40.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca10df40.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca001a78.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2510069403.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2510069403.0000000002D92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2507112723.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1403203192.0000023ACA001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe PID: 7312, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7924, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca10df40.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca10df40.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca001a78.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2510069403.0000000002D92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2507112723.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1403203192.0000023ACA001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe PID: 7312, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7924, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca10df40.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca10df40.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca0d0af8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe.23aca001a78.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2510069403.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2510069403.0000000002D92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2507112723.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1403203192.0000023ACA001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe PID: 7312, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7924, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		21
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		431
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Timestomp                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets151
                    Virtualization/Sandbox Evasion                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts151
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
                    Process Injection                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1451544 Sample: RFQ678903423_PROD_HASUE_de_... Startdate: 04/06/2024 Architecture: WINDOWS Score: 100 25 smtp.zoho.eu 2->25 27 ip-api.com 2->27 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 10 other signatures 2->39 8 RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe 1 4 2->8         started        signatures3 process4 signatures5 41 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->41 43 Writes to foreign memory regions 8->43 45 Allocates memory in foreign processes 8->45 47 3 other signatures 8->47 11 RegAsm.exe 14 2 8->11         started        15 powershell.exe 23 8->15         started        17 WerFault.exe 19 16 8->17         started        19 conhost.exe 8->19         started        process6 dnsIp7 29 ip-api.com 208.95.112.1, 49701, 80 TUT-ASUS United States 11->29 31 smtp.zoho.eu 185.230.214.164, 49702, 49709, 587 COMPUTERLINEComputerlineSchlierbachSwitzerlandCH Netherlands 11->31 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->51 53 Tries to steal Mail credentials (via file / registry access) 11->53 57 3 other signatures 11->57 55 Loading BitLocker PowerShell Module 15->55 21 conhost.exe 15->21         started        23 WmiPrvSE.exe 15->23         started        signatures8 process9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe29%ReversingLabsWin64.Trojan.GenSteal
                    RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe26%VirustotalBrowse

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    smtp.zoho.eu0%VirustotalBrowse
                    ip-api.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe
                    http://upx.sf.net0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                    http://ip-api.com0%URL Reputationsafe
                    http://status.thawte.com0:0%Avira URL Cloudsafe
                    http://cacerts.thawte.com/ThawteTLSRSACAG1.crt00%Avira URL Cloudsafe
                    http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p0%Avira URL Cloudsafe
                    http://smtp.zoho.eu0%Avira URL Cloudsafe
                    http://smtp.zoho.eu0%VirustotalBrowse
                    http://cacerts.thawte.com/ThawteTLSRSACAG1.crt00%VirustotalBrowse
                    http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.zoho.eu
                    		185.230.214.164
                    		truetrueunknown
                    ip-api.com
                    		208.95.112.1
                    		truetrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://ip-api.com/line/?fields=hostingfalse
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://upx.sf.netAmcache.hve.14.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://account.dyn.com/RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe, 00000000.00000002.1403203192.0000023ACA001000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2507112723.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 0000000B.00000002.2510069403.0000000002D61000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0RegAsm.exe, 0000000B.00000002.2509923111.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.0000000006050000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2509923111.0000000001288000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://cdp.thawte.com/ThawteTLSRSACAG1.crl0pRegAsm.exe, 0000000B.00000002.2509923111.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.0000000006050000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2509923111.0000000001288000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://status.thawte.com0:RegAsm.exe, 0000000B.00000002.2509923111.000000000129E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2513997940.0000000006050000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2509923111.0000000001288000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://smtp.zoho.euRegAsm.exe, 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2510069403.0000000002F6C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ip-api.comRegAsm.exe, 0000000B.00000002.2510069403.0000000002D61000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    208.95.112.1
                    		ip-api.comUnited States
                    		53334TUT-ASUStrue
                    185.230.214.164
                    		smtp.zoho.euNetherlands
                    		41913COMPUTERLINEComputerlineSchlierbachSwitzerlandCHtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1451544
                    Start date and time:2024-06-04 08:18:07 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 48s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:22
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe
                    Detection:MAL
                    Classification:mal100.spre.troj.spyw.expl.evad.winEXE@9/11@2/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 90%
                    • Number of executed functions: 68
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 20.189.173.21
                    • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    02:19:07API Interceptor18x Sleep call for process: powershell.exe modified
                    02:19:08API Interceptor77x Sleep call for process: RegAsm.exe modified
                    02:19:13API Interceptor1x Sleep call for process: WerFault.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    208.95.112.1Cotizaci#U00f3n.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    FedEx_102235507463.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    rSOLICITUDDECOTIZACI#U00d3NCONSULTA.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    New Order 00293939004.bat.exeGet hashmaliciousGuLoaderBrowse
                    • ip-api.com/line/?fields=hosting
                    MONTHLY SOA AGENT MAR-MAY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • ip-api.com/line/?fields=hosting
                    IB4RbA3Afa.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                    • ip-api.com/line/?fields=hosting
                    mFduH8XG1f.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • ip-api.com/line/?fields=hosting
                    8uy7ZljOoi.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • ip-api.com/line/?fields=hosting
                    QUOTATION_MAYQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • ip-api.com/line/?fields=hosting
                    B4NohuTaMr.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    185.230.214.164RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRYs.exeGet hashmaliciousGuLoaderBrowse
                      RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeGet hashmaliciousAgentTeslaBrowse
                        INQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exeGet hashmaliciousAgentTeslaBrowse
                          VBG dk Payment Receipt --doc87349281.batGet hashmaliciousRemcos, AgentTesla, DBatLoaderBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ip-api.comCotizaci#U00f3n.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            FedEx_102235507463.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            rSOLICITUDDECOTIZACI#U00d3NCONSULTA.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            New Order 00293939004.bat.exeGet hashmaliciousGuLoaderBrowse
                            • 208.95.112.1
                            MONTHLY SOA AGENT MAR-MAY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            IB4RbA3Afa.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                            • 208.95.112.1
                            mFduH8XG1f.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            8uy7ZljOoi.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            QUOTATION_MAYQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            B4NohuTaMr.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            smtp.zoho.euRFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRYs.exeGet hashmaliciousGuLoaderBrowse
                            • 185.230.214.164
                            RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeGet hashmaliciousAgentTeslaBrowse
                            • 185.230.214.164
                            INQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exeGet hashmaliciousAgentTeslaBrowse
                            • 185.230.214.164
                            VBG dk Payment Receipt --doc87349281.batGet hashmaliciousRemcos, AgentTesla, DBatLoaderBrowse
                            • 185.230.214.164
                            RFQ_on_SAK-TC233L-32F200N_INFINEON_PN_PHARMA.pdf.exeGet hashmaliciousAgentTeslaBrowse
                            • 89.36.170.164
                            1qwF1J2Njh.exeGet hashmaliciousAgentTeslaBrowse
                            • 185.230.212.164
                            N8USBRwo0Z.exeGet hashmaliciousAgentTeslaBrowse
                            • 89.36.170.164
                            PURCHASE_ORDER.exeGet hashmaliciousAgentTesla, zgRATBrowse
                            • 89.36.170.164
                            New Enquiry List.exeGet hashmaliciousAgentTeslaBrowse
                            • 185.20.209.164

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            COMPUTERLINEComputerlineSchlierbachSwitzerlandCHhttp://isme-zcmp.campaign-view.euGet hashmaliciousUnknownBrowse
                            • 185.230.212.52
                            https://www.junglegstring.com/?wysija-page=1&controller=confirm&wysija-key=1c37c08e0ea53fdc22a8bedc342b6a0e&action=subscribe&wysijap=subscriptions&wysiconf=WyIxIl0=Get hashmaliciousUnknownBrowse
                            • 89.36.170.147
                            RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRYs.exeGet hashmaliciousGuLoaderBrowse
                            • 185.230.214.164
                            RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeGet hashmaliciousAgentTeslaBrowse
                            • 185.230.214.164
                            INQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exeGet hashmaliciousAgentTeslaBrowse
                            • 185.230.214.164
                            https://classic.dreamclass.io/pages/admissions/form/BvtxckGet hashmaliciousUnknownBrowse
                            • 185.230.212.28
                            http://www.multipli.com.auGet hashmaliciousUnknownBrowse
                            • 185.230.212.28
                            https://workdrive.zohoexternal.com/external/2c63de0fdd4c89e3b1929ff054753df29586989db597aec11b0424839e9707da/downloadGet hashmaliciousUnknownBrowse
                            • 185.230.212.52
                            https://survey.zohopublic.eu/zs/GzDXvpGet hashmaliciousHTMLPhisherBrowse
                            • 185.230.212.19
                            https://site24x7.comGet hashmaliciousUnknownBrowse
                            • 185.230.212.11
                            TUT-ASUSCotizaci#U00f3n.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            FedEx_102235507463.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            rSOLICITUDDECOTIZACI#U00d3NCONSULTA.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            New Order 00293939004.bat.exeGet hashmaliciousGuLoaderBrowse
                            • 208.95.112.1
                            MONTHLY SOA AGENT MAR-MAY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            IB4RbA3Afa.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                            • 208.95.112.1
                            mFduH8XG1f.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            8uy7ZljOoi.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            QUOTATION_MAYQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            B4NohuTaMr.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_O3M50XZCTRHO2WFI_53db61ea5bbc9df35952feb8933b1de8a97192_1f364be1_0a2674bc-4aeb-4f71-b7af-e8a38e449efb\Report.wer

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.2707010115901685
                            Encrypted:false
                            SSDEEP:192:/Vf2rhxBJei0d9wyaWxeFlJs87+Uz8zuiFJZ24lO8W:92rhxf4d9wyaGUx77AzuiFJY4lO8W
                            MD5:A870C6FF7790E87F184D697E81F8FC09
                            SHA1:C2F34DB7BB5A264138E77539C348DA0970447F1F
                            SHA-256:4EB100412A95916695B5AD969FA7C1CA8FF001EF5F578A2AD08B2431BB1F7955
                            SHA-512:5FB91E9E8BC8C2B29575BFC64A45ED5BC1FB87B895F86CCBA9D53483B73CD4BBC1D16C950839B2E487CE26FE95D0A74AD039259822F99DEF7641A264F87283C0
                            Malicious:false
                            Reputation:low
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.9.5.5.5.4.6.7.5.8.7.6.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.9.5.5.5.4.7.9.1.5.0.1.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.2.6.7.4.b.c.-.4.a.e.b.-.4.f.7.1.-.b.7.a.f.-.e.8.a.3.8.e.4.4.9.e.f.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.e.c.1.d.c.c.-.2.6.0.8.-.4.f.4.f.-.8.2.9.a.-.f.7.8.3.6.d.8.f.3.9.f.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.R.F.Q.6.7.8.9.0.3.4.2.3._.P.R.O.D._.H.A.S.U.E._.d.e._.M.e.x.i.c.s.o._.M.A.T._.M.E.X...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.m.a.x.u.q.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.9.0.-.0.0.0.1.-.0.0.1.3.-.9.f.5.5.-.a.c.1.5.4.7.b.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.3.f.7.c.0.b.0.4.8.f.8.e.1.a.c.a.2.6.d.8.8.a.7.c.d.2.d.7.8.3.3.0.0.0.0.0.0.0.0.!.0.0.0.0.e.c.c.4.6.4.9.d.9.d.a.6.1.5.a.3.f.1.0.6.2.1.e.7.1.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER987F.tmp.dmp

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Mini DuMP crash report, 16 streams, Tue Jun 4 06:19:07 2024, 0x1205a4 type
                            Category:dropped
                            Size (bytes):504912
                            Entropy (8bit):3.424084621358595
                            Encrypted:false
                            SSDEEP:3072:TANnxd+YMWd0H3/pd9lqWPiFPlE1CCqp7T3+vwXDyasA24yycEZKRX5EcSErpb:TAFxEYNd0XD/8aqNT3QwXDPMkZkpQEB
                            MD5:5B35B66174D5E91A220972976F7A1026
                            SHA1:6AB2C29DF37E00EF907E9CDD6D79298A866F3895
                            SHA-256:3957FC5783B80CD58B4050DFFC93AFC9643AC459CDF6F2A2BE96B0B4E6B5CD95
                            SHA-512:E76425055D4749B38879164C607AC487D1F4A017753CEC406629218EF0C711B8753CF0293FE181341493EA6EDE9C3B3D2943EB15EF4B8CA1F737ACF4083F90F2
                            Malicious:false
                            Reputation:low
                            Preview:MDMP..a..... ........^f............t.......................$... '....... ..D'.......T..............l.......8...........T............:...y..........DG..........0I..............................................................................eJ.......I......Lw......................T............^f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B6E.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8732
                            Entropy (8bit):3.7197490779683067
                            Encrypted:false
                            SSDEEP:192:R6l7wVeJBhZS6YWi/ELygmfZsBJiBprG89bRb0qfYrjm:R6lXJXZS6Yz/eygmfOfiDRbxfs6
                            MD5:28FA240B1D50D13548998A2F312E871E
                            SHA1:1854D9D162DFE0F1AA1870CDF4CFB48D031E92F5
                            SHA-256:7F5E079990DC8D826763AF65D93EA762A1578AEA714745C8C5CD2C5CD48AA149
                            SHA-512:04BA3ACFC485894BCCD9A3ED708AD63E8D3684B71C4D4D1B9AD8C6927B502862BD3C55CB9647E19D6CA3972BC1C6FC9155AB78BD0C7BC992E652DA47ED92C7B5
                            Malicious:false
                            Reputation:low
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.1.2.<./.P.i.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BCD.tmp.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4950
                            Entropy (8bit):4.634743230399989
                            Encrypted:false
                            SSDEEP:48:cvIwWl8zs1Jg771I9MAIXWpW8VYxYm8M4JPXXE6Fv3vyq8v4XXE30FUFBcTd:uIjfPI7Wn7VdJP0kWi0E+FBsd
                            MD5:B98277192437D6A9A7311C154F1F3852
                            SHA1:E71201B4A58D46DC1FAC7B6D72D0A1111F977AB2
                            SHA-256:52155F3F4184A077E9030D431A753490AB7820A0498461FA2C2A5C0F76867BD2
                            SHA-512:F93228DA7C16263C30B80579669C5CEE3B8F95F273674693CF8035636DFF86E388024D86C42FA46F3C7A546F5265B4BD4F98B6A2A88145743856C6B2AF3615AA
                            Malicious:false
                            Reputation:low
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="352641" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:NlllulJnp/p:NllU
                            MD5:BC6DB77EB243BF62DC31267706650173
                            SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                            SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                            SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:@...e.................................X..............@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjisuyec.ouf.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwak4bu2.o41.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tcuihmdh.ure.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtrj22fm.bqn.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647

                            Download File
                            Process:C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe
                            File Type:ASCII text, with very long lines (696), with CRLF, LF line terminators
                            Category:dropped
                            Size (bytes):6042
                            Entropy (8bit):5.413980475709527
                            Encrypted:false
                            SSDEEP:96:wMxSIUoo6Lo0X4rZxSIUoo6Lo0X40xSYxSuBI0j3xSUw:wmhhLo0X4r/hhLo0X4gw
                            MD5:7DD189BDEB6E99EC26ED797D9ECCD69F
                            SHA1:9BE998B89B4053C83E6D96D85BD9CBDA4DB01E9D
                            SHA-256:AF90EA6448993FF0057A0ED41074D1C671A14D60EDB372804FC6DD2C1891657B
                            SHA-512:EC62CCACBF05B37276A17F6C4A4AC5858DBA2176F026992D7A37C2BE61299500625F13D6B40B2C7F93B8DA1B8ECD2260606F900095A4700BEA2327E32BB8244A
                            Malicious:false
                            Preview:.Unhandled Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt... at _bB._d(String , String , IntPtr , IntPtr , Boolean , UInt32 , IntPtr , String , IntPtr , IntPtr ).. --- End of inner exception stack trace ---.. at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor).. at System.Reflection.Runtime

                            C:\Windows\appcompat\Programs\Amcache.hve

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1835008
                            Entropy (8bit):4.296130025107502
                            Encrypted:false
                            SSDEEP:6144:f41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+rQmBMZJh1Vjj:Q1/YCW2AoQ0NiNQwMHrVH
                            MD5:021E209FF56100EA5BA289C6E6E93E00
                            SHA1:F6371D3312579DD6CF6C394F927521B750FF3D16
                            SHA-256:8F59417F0E11A892E32103701507D60AD77D7C8E87DF92A71CC9587B0A0B590D
                            SHA-512:9F94EDB675FB4D1A7246DFD473ABFE367A25929384624CD96360811A9B806989AED68C48A466DE656006ACE80CC1A967724307190502FA2914F3968A07AEB925
                            Malicious:false
                            Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJ.r.G.................................................................................................................................................................................................................................................................................................................................................g.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.890424280704445
                            TrID:
                            • Win64 Executable Console Net Framework (206006/5) 48.58%
                            • Win64 Executable Console (202006/5) 47.64%
                            • Win64 Executable (generic) (12005/4) 2.83%
                            • Generic Win/DOS Executable (2004/3) 0.47%
                            • DOS Executable Generic (2002/1) 0.47%
                            File name:RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe
                            File size:679'855 bytes
                            MD5:d617ed4ea343a0460e10f0e8a438cfeb
                            SHA1:ecc4649d9da615a3f10621e71451fbc4efe066b1
                            SHA256:1ab3ec9401912cfc5ff446a0e2ce4e2510799d014e573f6d75cd32f6367818ab
                            SHA512:04e3dd11138d46bce516b0e5d7d834892769c068a4a6cdd709b9ad11f729e85c4a0e1c0cac29eb6cde90fe41a7f6562319cc0ee8f3cd7b5677f1f73469d23b40
                            SSDEEP:12288:K+NB7CdmFs3+GHPka8hwdwq3BS9QG93LjuHdk0Z3wM9YOmGQXD:KcB7cB3+GHmhwdhCZ9nuHKgs1T
                            TLSH:2FE4124BFA1C67EEE38E8772787A02706628DFA306846D54F9D4FE6E047035C69139D2
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...T............."...0.#a............... ....@...... ..............................j.....`................................

                            File Icon

                            Icon Hash:24ed8d96b2ade832

                            Static PE Info

                            General

                            Entrypoint:0x400000
                            Entrypoint Section:
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows cui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x98EF0654 [Sat Apr 22 18:39:16 2051 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:

                            Entrypoint Preview

                            Instruction
                            dec ebp
                            pop edx
                            nop
                            add byte ptr [ebx], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000xdcd2.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x805e0x38.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x61230x62001123bb47663eccf191865c930f3fe965False0.61328125data6.438757388301241IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xa0000xdcd20xde003e687967fd53b1928b778589fa789f33False0.09181447072072071data3.8153996343439553IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xa15c0xd228Device independent bitmap graphic, 101 x 256 x 32, image size 51712, resolution 9055 x 9055 px/m0.07864312267657993
                            RT_GROUP_ICON0x173840x14data1.15
                            RT_VERSION0x173980x3a8data0.4935897435897436
                            RT_VERSION0x177400x3a8dataEnglishUnited States0.4935897435897436
                            RT_MANIFEST0x17ae80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jun 4, 2024 08:19:07.222460032 CEST4970180192.168.2.10208.95.112.1
                            Jun 4, 2024 08:19:07.227462053 CEST8049701208.95.112.1192.168.2.10
                            Jun 4, 2024 08:19:07.227530956 CEST4970180192.168.2.10208.95.112.1
                            Jun 4, 2024 08:19:07.227931976 CEST4970180192.168.2.10208.95.112.1
                            Jun 4, 2024 08:19:07.232821941 CEST8049701208.95.112.1192.168.2.10
                            Jun 4, 2024 08:19:07.809391975 CEST8049701208.95.112.1192.168.2.10
                            Jun 4, 2024 08:19:07.850390911 CEST4970180192.168.2.10208.95.112.1
                            Jun 4, 2024 08:19:08.785309076 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:08.790255070 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:08.790309906 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:09.552175999 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:09.552510977 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:09.557468891 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:10.205205917 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:10.205466986 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:10.210366011 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:10.471451998 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:10.474848032 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:10.479800940 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:10.742856026 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:10.742873907 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:10.742881060 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:10.742893934 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:10.742898941 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:10.742968082 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:10.745743036 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:10.750597000 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:11.012017012 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:11.024497986 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:11.029465914 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:11.292685986 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:11.295617104 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:11.300513029 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:11.563695908 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:11.564019918 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:11.568883896 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:11.965063095 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:11.966089964 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:11.970968008 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:12.232371092 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:12.232681036 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:12.237543106 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:12.498974085 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:12.499260902 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:12.504120111 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:12.765250921 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:12.765991926 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:12.765991926 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:12.765991926 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:12.766036034 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:12.770915031 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:12.770989895 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:12.770998955 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:12.771037102 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:13.513947010 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:13.560518026 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:13.565617085 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:13.826709986 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:13.826951027 CEST58749702185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:13.829477072 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:13.831607103 CEST49702587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:13.833184958 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:13.838181019 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:13.838449955 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:14.604372025 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:14.604527950 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:14.609412909 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:14.872539043 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:14.872751951 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:14.877655983 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:15.140501022 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:15.140918970 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:15.145785093 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:15.408730984 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:15.409534931 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:15.412153959 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:15.414401054 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:15.417006969 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:15.679878950 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:15.679903030 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:15.679966927 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:15.680179119 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:15.684998035 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:15.948014021 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:15.948326111 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:15.953212023 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:16.262577057 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:16.262825012 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:16.267739058 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:16.537204981 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:16.537386894 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:16.542362928 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:16.811453104 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:16.811697960 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:16.816576004 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:17.079617977 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:17.104959011 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:17.104998112 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:17.105040073 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:17.105070114 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:17.105109930 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:17.105142117 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:17.105186939 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:17.105212927 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:17.105233908 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:17.105254889 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:17.109958887 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:17.110007048 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:17.110017061 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:17.110227108 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:17.110259056 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:17.110269070 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:17.110280037 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:17.110289097 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:17.110306025 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:17.110315084 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:17.511714935 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:19:17.553498983 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:19:37.927660942 CEST8049701208.95.112.1192.168.2.10
                            Jun 4, 2024 08:19:37.927763939 CEST4970180192.168.2.10208.95.112.1
                            Jun 4, 2024 08:19:58.788367033 CEST4970180192.168.2.10208.95.112.1
                            Jun 4, 2024 08:19:58.793605089 CEST8049701208.95.112.1192.168.2.10
                            Jun 4, 2024 08:20:48.803905964 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:20:48.809094906 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:20:49.072189093 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:20:49.072386026 CEST58749709185.230.214.164192.168.2.10
                            Jun 4, 2024 08:20:49.072499037 CEST49709587192.168.2.10185.230.214.164
                            Jun 4, 2024 08:20:49.073062897 CEST49709587192.168.2.10185.230.214.164

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jun 4, 2024 08:19:07.151247978 CEST5809953192.168.2.101.1.1.1
                            Jun 4, 2024 08:19:07.158126116 CEST53580991.1.1.1192.168.2.10
                            Jun 4, 2024 08:19:08.776885986 CEST5610553192.168.2.101.1.1.1
                            Jun 4, 2024 08:19:08.784588099 CEST53561051.1.1.1192.168.2.10

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jun 4, 2024 08:19:07.151247978 CEST192.168.2.101.1.1.10x37f1Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                            Jun 4, 2024 08:19:08.776885986 CEST192.168.2.101.1.1.10x3af0Standard query (0)smtp.zoho.euA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jun 4, 2024 08:19:07.158126116 CEST1.1.1.1192.168.2.100x37f1No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                            Jun 4, 2024 08:19:08.784588099 CEST1.1.1.1192.168.2.100x3af0No error (0)smtp.zoho.eu185.230.214.164A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • ip-api.com

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.1049701208.95.112.1807924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            TimestampBytes transferredDirectionData
                            Jun 4, 2024 08:19:07.227931976 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                            Host: ip-api.com
                            Connection: Keep-Alive
                            Jun 4, 2024 08:19:07.809391975 CEST174INHTTP/1.1 200 OK
                            Date: Tue, 04 Jun 2024 06:19:07 GMT
                            Content-Type: text/plain; charset=utf-8
                            Content-Length: 5
                            Access-Control-Allow-Origin: *
                            X-Ttl: 60
                            X-Rl: 44
                            Data Raw: 74 72 75 65 0a
                            Data Ascii: true


                            SMTP Packets

                            TimestampSource PortDest PortSource IPDest IPCommands
                            Jun 4, 2024 08:19:09.552175999 CEST58749702185.230.214.164192.168.2.10220 mx.zoho.eu SMTP Server ready June 4, 2024 8:19:09 AM CEST
                            Jun 4, 2024 08:19:09.552510977 CEST49702587192.168.2.10185.230.214.164EHLO 585948
                            Jun 4, 2024 08:19:10.205205917 CEST58749702185.230.214.164192.168.2.10250-mx.zoho.eu Hello 585948 (173.254.250.91 (173.254.250.91))
                            250-STARTTLS
                            250 SIZE 53477376
                            Jun 4, 2024 08:19:10.205466986 CEST49702587192.168.2.10185.230.214.164STARTTLS
                            Jun 4, 2024 08:19:10.471451998 CEST58749702185.230.214.164192.168.2.10220 Ready to start TLS.
                            Jun 4, 2024 08:19:14.604372025 CEST58749709185.230.214.164192.168.2.10220 mx.zoho.eu SMTP Server ready June 4, 2024 8:19:14 AM CEST
                            Jun 4, 2024 08:19:14.604527950 CEST49709587192.168.2.10185.230.214.164EHLO 585948
                            Jun 4, 2024 08:19:14.872539043 CEST58749709185.230.214.164192.168.2.10250-mx.zoho.eu Hello 585948 (173.254.250.91 (173.254.250.91))
                            250-STARTTLS
                            250 SIZE 53477376
                            Jun 4, 2024 08:19:14.872751951 CEST49709587192.168.2.10185.230.214.164STARTTLS
                            Jun 4, 2024 08:19:15.140501022 CEST58749709185.230.214.164192.168.2.10220 Ready to start TLS.

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:02:18:58
                            Start date:04/06/2024
                            Path:C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe"
                            Imagebase:0x23ab8000000
                            File size:679'855 bytes
                            MD5 hash:D617ED4EA343A0460E10F0E8A438CFEB
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1402644307.0000023ABA38A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1403203192.0000023ACA001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1403203192.0000023ACA001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:02:18:58
                            Start date:04/06/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff620390000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:02:19:05
                            Start date:04/06/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe" -Force
                            Imagebase:0x7ff7b2bb0000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:02:19:05
                            Start date:04/06/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff620390000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:02:19:05
                            Start date:04/06/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                            Imagebase:0xa70000
                            File size:65'440 bytes
                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2510069403.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2510069403.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2510069403.0000000002D92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2510069403.0000000002D92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2507112723.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2507112723.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:14
                            Start time:02:19:06
                            Start date:04/06/2024
                            Path:C:\Windows\System32\WerFault.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\WerFault.exe -u -p 7312 -s 1144
                            Imagebase:0x7ff6b0720000
                            File size:570'736 bytes
                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:16
                            Start time:02:19:09
                            Start date:04/06/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff6616b0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:13%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:6
                              Total number of Limit Nodes:0
                              execution_graph 14960 7ff7c19309c9 14961 7ff7c1930a08 FreeConsole 14960->14961 14963 7ff7c1930a5e 14961->14963 14968 7ff7c1934f6d 14969 7ff7c1934f77 VirtualProtect 14968->14969 14971 7ff7c1935031 14969->14971

                              Executed Functions

                              Function 00007FF7C19362E0 Relevance: 2.9, Strings: 2, Instructions: 447COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID: H$fish
                              • API String ID: 0-2025339721
                              • Opcode ID: 6575e590c3cab85b29f842c572de9c2c520f322974e3d4ed9eee97d2416a6912
                              • Instruction ID: 186d482815e951093f97dfe2dd50d80c6fec12bff35b84d02905c25fc09e014b
                              • Opcode Fuzzy Hash: 6575e590c3cab85b29f842c572de9c2c520f322974e3d4ed9eee97d2416a6912
                              • Instruction Fuzzy Hash: 6DC14C31A1CA894FD748FF3898655B5B7E1FF96364B84417EE48BC3293DE24AC428781
                              Function 00007FF7C1A20000 Relevance: 2.1, Instructions: 2141COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405981178.00007FF7C1A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1a20000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8dd9c8233550fc6bdbb46d8372b8ac8c794ab88aaacd35051207617c3a1cce1e
                              • Instruction ID: cfafee0298429e173558492277fa06f96c199ec1c2c83aabfa5a3c2cbfaa5d89
                              • Opcode Fuzzy Hash: 8dd9c8233550fc6bdbb46d8372b8ac8c794ab88aaacd35051207617c3a1cce1e
                              • Instruction Fuzzy Hash: A6E2383180D7C54FE756EF288855AA8BFA0FF56310F5802FBC48DDB193DA68A846C791
                              Function 00007FF7C1933898 Relevance: 2.0, Strings: 1, Instructions: 716COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 486 7ff7c1933898-7ff7c1936821 call 7ff7c19366e0 493 7ff7c1936844-7ff7c1936853 486->493 494 7ff7c1936855-7ff7c193686f call 7ff7c19366e0 call 7ff7c1936730 493->494 495 7ff7c1936823-7ff7c1936839 call 7ff7c19366e0 call 7ff7c1936730 493->495 504 7ff7c193683b-7ff7c1936842 495->504 505 7ff7c1936870-7ff7c19368c0 495->505 504->493 510 7ff7c19368cc-7ff7c1936903 505->510 511 7ff7c19368c2-7ff7c19368c7 call 7ff7c1935318 505->511 513 7ff7c1936909-7ff7c1936914 510->513 514 7ff7c1936aff-7ff7c1936b69 510->514 511->510 515 7ff7c1936988-7ff7c193698d 513->515 516 7ff7c1936916-7ff7c1936924 513->516 543 7ff7c1936b6b-7ff7c1936b71 514->543 544 7ff7c1936b86-7ff7c1936bb0 514->544 518 7ff7c193698f-7ff7c193699b 515->518 519 7ff7c1936a00-7ff7c1936a0a 515->519 516->514 517 7ff7c193692a-7ff7c1936939 516->517 523 7ff7c193696d-7ff7c1936978 517->523 524 7ff7c193693b-7ff7c193696b 517->524 518->514 525 7ff7c19369a1-7ff7c19369b4 518->525 521 7ff7c1936a2c-7ff7c1936a34 519->521 522 7ff7c1936a0c-7ff7c1936a19 call 7ff7c1935338 519->522 529 7ff7c1936a37-7ff7c1936a42 521->529 539 7ff7c1936a1e-7ff7c1936a2a 522->539 523->514 528 7ff7c193697e-7ff7c1936986 523->528 524->523 527 7ff7c19369b9-7ff7c19369bc 524->527 525->529 532 7ff7c19369be-7ff7c19369ce 527->532 533 7ff7c19369d2-7ff7c19369da 527->533 528->515 528->516 529->514 534 7ff7c1936a48-7ff7c1936a58 529->534 532->533 533->514 535 7ff7c19369e0-7ff7c19369ff 533->535 534->514 537 7ff7c1936a5e-7ff7c1936a6b 534->537 537->514 541 7ff7c1936a71-7ff7c1936a91 537->541 539->521 541->514 548 7ff7c1936a93-7ff7c1936aa2 541->548 546 7ff7c1936bb1-7ff7c1936bc8 543->546 547 7ff7c1936b73-7ff7c1936b84 543->547 554 7ff7c1936bca-7ff7c1936bcb 546->554 555 7ff7c1936bcc-7ff7c1936c00 546->555 547->543 547->544 549 7ff7c1936aed-7ff7c1936afe 548->549 550 7ff7c1936aa4-7ff7c1936aaf 548->550 550->549 556 7ff7c1936ab1-7ff7c1936ae8 call 7ff7c1935338 550->556 554->555 562 7ff7c1936c0a-7ff7c1936c17 555->562 563 7ff7c1936c02-7ff7c1936c05 555->563 556->549 564 7ff7c1936c19-7ff7c1936c51 562->564 565 7ff7c1936c07-7ff7c1936c08 562->565 563->564 563->565 569 7ff7c1936ca8-7ff7c1936caf 564->569 570 7ff7c1936c53-7ff7c1936c59 564->570 565->562 572 7ff7c1936cb1-7ff7c1936cb2 569->572 573 7ff7c1936cf2-7ff7c1936d1b 569->573 570->569 571 7ff7c1936c5b-7ff7c1936c5c 570->571 574 7ff7c1936c5f-7ff7c1936c62 571->574 575 7ff7c1936cb5-7ff7c1936cb8 572->575 577 7ff7c1936c68-7ff7c1936c75 574->577 578 7ff7c1936d1c-7ff7c1936d31 574->578 575->578 579 7ff7c1936cba-7ff7c1936ccb 575->579 582 7ff7c1936c77-7ff7c1936c9e 577->582 583 7ff7c1936ca1-7ff7c1936ca6 577->583 587 7ff7c1936d3b-7ff7c1936dc1 578->587 588 7ff7c1936d33-7ff7c1936d3a 578->588 580 7ff7c1936ce9-7ff7c1936cf0 579->580 581 7ff7c1936ccd-7ff7c1936cd3 579->581 580->573 580->575 581->578 584 7ff7c1936cd5-7ff7c1936ce5 581->584 582->583 583->569 583->574 584->580 588->587
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID: d
                              • API String ID: 0-2564639436
                              • Opcode ID: 762e931f8944dadc0b1dc2131df3be095844e9d88840e7918e1fbc6662043ff9
                              • Instruction ID: 723a5d6c4360677d400e3c751129ac1afb81bb9bbe7d5e74deed6fe73d455a04
                              • Opcode Fuzzy Hash: 762e931f8944dadc0b1dc2131df3be095844e9d88840e7918e1fbc6662043ff9
                              • Instruction Fuzzy Hash: 40224530A1CA894FE749EF2888855B1B7E1FF45328B9442B9C48EC7597DE68F843C791
                              Function 00007FF7C194071A Relevance: 1.7, Instructions: 1690COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 594 7ff7c194071a-7ff7c1940746 595 7ff7c194074c-7ff7c194077b call 7ff7c193cce0 594->595 596 7ff7c1940822-7ff7c1940849 594->596 595->596 602 7ff7c194084b-7ff7c1940885 call 7ff7c193cce0 596->602 603 7ff7c1940893-7ff7c194089a 596->603 620 7ff7c1940887-7ff7c194088f 602->620 621 7ff7c194089f-7ff7c19408aa 602->621 605 7ff7c1940938-7ff7c194093a 603->605 606 7ff7c194093c-7ff7c194095f 605->606 607 7ff7c19409ab-7ff7c19409b7 605->607 611 7ff7c1940b99-7ff7c1940bf3 607->611 612 7ff7c19409bd-7ff7c1940a16 call 7ff7c193cce0 * 2 call 7ff7c1938d90 607->612 623 7ff7c1940bf9-7ff7c1940c54 call 7ff7c193cce0 * 2 call 7ff7c1938d90 611->623 624 7ff7c1940d26-7ff7c1940d83 611->624 612->611 643 7ff7c1940a1c-7ff7c1940a3a 612->643 620->603 626 7ff7c19408ac-7ff7c19408bf 621->626 627 7ff7c19408c1-7ff7c19408cc 621->627 623->624 656 7ff7c1940c5a-7ff7c1940cb0 623->656 640 7ff7c1940d89-7ff7c1940dde call 7ff7c193cce0 * 2 call 7ff7c1938d90 624->640 641 7ff7c1940e3e-7ff7c1940e49 624->641 626->605 630 7ff7c19408ce-7ff7c19408e0 627->630 631 7ff7c19408e2-7ff7c1940901 627->631 630->605 631->605 639 7ff7c1940903-7ff7c1940934 631->639 639->605 640->641 681 7ff7c1940de0-7ff7c1940e04 640->681 653 7ff7c1940e4e-7ff7c1940e97 641->653 654 7ff7c1940e4b-7ff7c1940e4d 641->654 643->611 644 7ff7c1940a40-7ff7c1940a5f 643->644 651 7ff7c1940a61-7ff7c1940a80 644->651 652 7ff7c1940ae0-7ff7c1940aea 644->652 658 7ff7c1940a82-7ff7c1940a87 651->658 659 7ff7c1940af1-7ff7c1940b06 651->659 661 7ff7c1940b1e-7ff7c1940b6f call 7ff7c193d6b0 652->661 662 7ff7c1940aec-7ff7c1940aef 652->662 669 7ff7c1940e9d-7ff7c1940ef6 call 7ff7c193cce0 * 2 call 7ff7c1938d90 653->669 670 7ff7c194102b-7ff7c194105a 653->670 654->653 656->624 657 7ff7c1940cb2-7ff7c1940cfd call 7ff7c193d6b0 656->657 657->624 679 7ff7c1940cff-7ff7c1940d25 657->679 665 7ff7c1940a89-7ff7c1940ad8 call 7ff7c1939130 658->665 666 7ff7c1940b08-7ff7c1940b19 658->666 659->666 661->611 682 7ff7c1940b71-7ff7c1940b98 661->682 662->661 665->659 685 7ff7c1940ada-7ff7c1940adf 665->685 666->661 676 7ff7c1940b1b-7ff7c1940b1c 666->676 669->670 698 7ff7c1940efc-7ff7c1940f1a 669->698 689 7ff7c194105c-7ff7c1941087 670->689 690 7ff7c19410a4-7ff7c19410e3 call 7ff7c193cce0 * 2 call 7ff7c1938d90 670->690 676->661 686 7ff7c1940e32-7ff7c1940e3d 681->686 687 7ff7c1940e06-7ff7c1940e16 681->687 685->652 687->641 691 7ff7c1940e18-7ff7c1940e2f 687->691 693 7ff7c19411e7-7ff7c1941219 689->693 694 7ff7c194108d-7ff7c19410a3 689->694 690->693 719 7ff7c19410e9-7ff7c1941104 690->719 691->686 707 7ff7c194121b-7ff7c1941246 693->707 708 7ff7c1941263-7ff7c194128c call 7ff7c193cce0 693->708 694->690 698->670 701 7ff7c1940f20-7ff7c1940f3a 698->701 704 7ff7c1940f3c-7ff7c1940f5a 701->704 705 7ff7c1940f93-7ff7c1940f97 701->705 717 7ff7c1940f5c-7ff7c1940f71 704->717 718 7ff7c1940f73-7ff7c1940f84 704->718 714 7ff7c1940f99-7ff7c1940fff call 7ff7c1939130 call 7ff7c193d6b0 705->714 715 7ff7c1941018-7ff7c194102a 705->715 709 7ff7c194124c-7ff7c194125f 707->709 710 7ff7c1941315-7ff7c1941327 707->710 723 7ff7c194128e-7ff7c19412cd 708->723 724 7ff7c19412f1-7ff7c1941314 708->724 709->708 729 7ff7c1941369-7ff7c1941377 710->729 730 7ff7c1941329-7ff7c194133d 710->730 734 7ff7c1941001 714->734 725 7ff7c1940f88-7ff7c1940f90 717->725 718->725 726 7ff7c194115d-7ff7c1941164 719->726 727 7ff7c1941106-7ff7c1941109 719->727 741 7ff7c194133e-7ff7c194134a 723->741 749 7ff7c19412cf-7ff7c19412f0 call 7ff7c1939130 723->749 724->710 733 7ff7c1940f92 725->733 725->734 726->693 731 7ff7c194116a-7ff7c1941187 726->731 735 7ff7c194118a-7ff7c1941199 727->735 736 7ff7c194110b-7ff7c1941129 727->736 738 7ff7c194137d-7ff7c1941391 729->738 739 7ff7c19414d3-7ff7c19414e9 729->739 730->741 731->735 733->705 734->670 740 7ff7c1941003-7ff7c1941016 734->740 743 7ff7c194119a-7ff7c19411ae call 7ff7c193d6b0 735->743 736->743 744 7ff7c194112b-7ff7c1941130 736->744 746 7ff7c1941394-7ff7c19413cf call 7ff7c193cce0 * 2 call 7ff7c193e960 738->746 762 7ff7c19414ea 739->762 763 7ff7c19414eb-7ff7c19414fd 739->763 740->715 745 7ff7c194134c-7ff7c1941366 741->745 741->746 748 7ff7c19411b1-7ff7c19411bd 743->748 747 7ff7c1941132-7ff7c1941156 call 7ff7c1939130 744->747 744->748 745->729 776 7ff7c19413e9-7ff7c19413f4 746->776 777 7ff7c19413d1-7ff7c19413e7 746->777 747->726 748->693 756 7ff7c19411bf-7ff7c19411e6 748->756 762->763 764 7ff7c19414fe 763->764 765 7ff7c19414ff-7ff7c1941500 763->765 764->765 771 7ff7c1941501-7ff7c1941539 765->771 773 7ff7c194153b-7ff7c194154d call 7ff7c1930198 771->773 774 7ff7c194154f 771->774 775 7ff7c1941554-7ff7c1941556 773->775 774->775 780 7ff7c194156a-7ff7c19415e1 775->780 781 7ff7c1941558-7ff7c1941563 775->781 785 7ff7c1941406 776->785 786 7ff7c19413f6-7ff7c1941404 776->786 777->776 805 7ff7c19416c8-7ff7c19416cf 780->805 806 7ff7c19415e7-7ff7c194165f 780->806 781->780 787 7ff7c1941408-7ff7c194140d 785->787 786->787 789 7ff7c1941430-7ff7c1941446 787->789 790 7ff7c194140f-7ff7c194142e call 7ff7c19351b0 787->790 797 7ff7c194145a-7ff7c194146f call 7ff7c193f350 789->797 798 7ff7c1941448-7ff7c1941453 789->798 795 7ff7c1941473-7ff7c1941479 790->795 795->762 800 7ff7c194147b-7ff7c1941480 795->800 797->795 798->797 800->771 802 7ff7c1941482-7ff7c19414b0 call 7ff7c1939130 call 7ff7c1938d90 800->802 802->739 817 7ff7c19414b2-7ff7c19414d2 802->817 807 7ff7c19416ec-7ff7c19416fc 805->807 808 7ff7c19416d1-7ff7c19416de 805->808 821 7ff7c1941661-7ff7c1941667 call 7ff7c193a328 806->821 822 7ff7c19416bf-7ff7c19416c7 call 7ff7c1941714 806->822 815 7ff7c1941702-7ff7c1941713 807->815 808->807 811 7ff7c19416e0-7ff7c19416ea 808->811 811->807 826 7ff7c194166c-7ff7c19416be 821->826 822->805 826->822
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cd94f1629f561a96db871db92a7376161667118864266778e476e7f69d4e2c61
                              • Instruction ID: 90bc0a4a8c85c32b9e91778c77c0bffa2c3fa8440bbc7a92422242a423595f6f
                              • Opcode Fuzzy Hash: cd94f1629f561a96db871db92a7376161667118864266778e476e7f69d4e2c61
                              • Instruction Fuzzy Hash: 82C2673060CB8A4FD359EF28C4904B5B7E2FF96315B5446BED48AC72A6DE34E846C781
                              Function 00007FF7C1941F1F Relevance: 1.6, Instructions: 1561COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9689a65c144547c374fcb2db21e704b776560927174c0fc409bb586dfb84113c
                              • Instruction ID: 0350cd8d01f4e0683c0a535c8595ac00fd3da98ca05cda20b6d284124456fa5b
                              • Opcode Fuzzy Hash: 9689a65c144547c374fcb2db21e704b776560927174c0fc409bb586dfb84113c
                              • Instruction Fuzzy Hash: BB72AC3090CB894FE359EF28D4515B5B7E1FF95328B5006BED48AC7292DE28F846C792
                              Function 00007FF7C193A950 Relevance: 1.4, Instructions: 1406COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c13c11f0156600c43904fda5eb1ebf7b5a4852ca235fc9b53d791dcd4a66f156
                              • Instruction ID: 24ff0376a128c6864a421e57139b1b697cca7e0e6ed93924ff3de987c4ffd768
                              • Opcode Fuzzy Hash: c13c11f0156600c43904fda5eb1ebf7b5a4852ca235fc9b53d791dcd4a66f156
                              • Instruction Fuzzy Hash: 8BA2F530A0CA8A8FE7A9EF28D455678B7E1FF55315F4401BAD08EC72A2DE64EC42C751
                              Function 00007FF7C1936190 Relevance: 1.1, Instructions: 1108COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 938162d50f6fff96e76ed0cb7fb8d7e36b72cc3ef2328145fb29071ec5e3270a
                              • Instruction ID: 2b41b932d7a5eb33169813c0cbb4afca40f34a40a322fdaea11592610a937097
                              • Opcode Fuzzy Hash: 938162d50f6fff96e76ed0cb7fb8d7e36b72cc3ef2328145fb29071ec5e3270a
                              • Instruction Fuzzy Hash: 6582683290C6C64FE769EF1884402B5BBE1EF95328F5441BDD48E876D3DE68B846C7A0
                              Function 00007FF7C193EBBA Relevance: .9, Instructions: 872COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2027 7ff7c193ebba-7ff7c193ebc9 2028 7ff7c193ebcb-7ff7c193ebe0 2027->2028 2029 7ff7c193ebe2 2027->2029 2030 7ff7c193ebe4-7ff7c193ebe9 2028->2030 2029->2030 2032 7ff7c193ebef-7ff7c193ebfe 2030->2032 2033 7ff7c193ece6-7ff7c193ed06 2030->2033 2037 7ff7c193ec08-7ff7c193ec09 2032->2037 2038 7ff7c193ec00-7ff7c193ec06 2032->2038 2035 7ff7c193ed57-7ff7c193ed62 2033->2035 2039 7ff7c193ed08-7ff7c193ed0e 2035->2039 2040 7ff7c193ed64-7ff7c193ed73 2035->2040 2043 7ff7c193ec0b-7ff7c193ec2e 2037->2043 2038->2043 2041 7ff7c193f1d2 2039->2041 2042 7ff7c193ed14-7ff7c193ed35 call 7ff7c193a928 2039->2042 2049 7ff7c193ed89 2040->2049 2050 7ff7c193ed75-7ff7c193ed87 2040->2050 2046 7ff7c193f1d6-7ff7c193f1ea 2041->2046 2060 7ff7c193ed3a-7ff7c193ed54 2042->2060 2048 7ff7c193ec83-7ff7c193ec8e 2043->2048 2054 7ff7c193f1ec 2046->2054 2055 7ff7c193f234-7ff7c193f246 2046->2055 2052 7ff7c193ec30-7ff7c193ec36 2048->2052 2053 7ff7c193ec90-7ff7c193eca7 2048->2053 2051 7ff7c193ed8b-7ff7c193ed90 2049->2051 2050->2051 2057 7ff7c193ee1c-7ff7c193ee30 2051->2057 2058 7ff7c193ed96-7ff7c193edb8 call 7ff7c193a928 2051->2058 2052->2041 2061 7ff7c193ec3c-7ff7c193ec80 call 7ff7c193a928 2052->2061 2070 7ff7c193eca9-7ff7c193eccf call 7ff7c193a928 2053->2070 2071 7ff7c193ecd6-7ff7c193ece1 call 7ff7c193b058 2053->2071 2059 7ff7c193f1ef-7ff7c193f227 call 7ff7c193b0b0 2054->2059 2066 7ff7c193f248-7ff7c193f24a call 7ff7c1936188 2055->2066 2063 7ff7c193ee32-7ff7c193ee38 2057->2063 2064 7ff7c193ee80-7ff7c193ee8f 2057->2064 2092 7ff7c193edba-7ff7c193ede4 2058->2092 2093 7ff7c193ede6-7ff7c193ede7 2058->2093 2112 7ff7c193f229-7ff7c193f232 2059->2112 2113 7ff7c193f271-7ff7c193f27b 2059->2113 2060->2035 2061->2048 2067 7ff7c193ee3a-7ff7c193ee55 2063->2067 2068 7ff7c193ee57-7ff7c193ee6f 2063->2068 2089 7ff7c193ee9c 2064->2089 2090 7ff7c193ee91-7ff7c193ee9a 2064->2090 2100 7ff7c193f24e-7ff7c193f261 2066->2100 2067->2068 2086 7ff7c193ee78-7ff7c193ee7b 2068->2086 2070->2071 2071->2057 2094 7ff7c193f028-7ff7c193f03d 2086->2094 2096 7ff7c193ee9e-7ff7c193eea3 2089->2096 2090->2096 2103 7ff7c193ede9-7ff7c193edf0 2092->2103 2093->2103 2108 7ff7c193f07d 2094->2108 2109 7ff7c193f03f-7ff7c193f07b 2094->2109 2097 7ff7c193eea9-7ff7c193eeac 2096->2097 2098 7ff7c193f1af-7ff7c193f1b0 2096->2098 2105 7ff7c193eeae-7ff7c193eecb call 7ff7c1930198 2097->2105 2106 7ff7c193eef4 2097->2106 2110 7ff7c193f1b3-7ff7c193f1ba 2098->2110 2127 7ff7c193f26c-7ff7c193f26f 2100->2127 2128 7ff7c193f263-7ff7c193f26b 2100->2128 2103->2057 2111 7ff7c193edf2-7ff7c193ee17 call 7ff7c193a950 2103->2111 2105->2106 2150 7ff7c193eecd-7ff7c193eef2 2105->2150 2117 7ff7c193eef6-7ff7c193eefb 2106->2117 2121 7ff7c193f07f-7ff7c193f084 2108->2121 2109->2121 2110->2059 2134 7ff7c193f1bc-7ff7c193f1c2 2110->2134 2140 7ff7c193f19e-7ff7c193f1ae 2111->2140 2112->2055 2118 7ff7c193f27d-7ff7c193f285 2113->2118 2119 7ff7c193f286-7ff7c193f297 2113->2119 2130 7ff7c193effc-7ff7c193f01f 2117->2130 2131 7ff7c193ef01-7ff7c193ef0d 2117->2131 2118->2119 2132 7ff7c193f299-7ff7c193f2a1 2119->2132 2133 7ff7c193f2a2-7ff7c193f2a9 2119->2133 2123 7ff7c193f086-7ff7c193f0dd call 7ff7c19360c0 2121->2123 2124 7ff7c193f0f4-7ff7c193f108 2121->2124 2180 7ff7c193f14e-7ff7c193f153 2123->2180 2181 7ff7c193f0df-7ff7c193f0e3 2123->2181 2141 7ff7c193f10a-7ff7c193f135 call 7ff7c19360c0 2124->2141 2142 7ff7c193f157-7ff7c193f163 call 7ff7c1938d90 2124->2142 2127->2113 2128->2127 2146 7ff7c193f025-7ff7c193f026 2130->2146 2131->2041 2136 7ff7c193ef13-7ff7c193ef22 2131->2136 2132->2133 2133->2066 2138 7ff7c193f2ab-7ff7c193f2ef call 7ff7c193cce0 2133->2138 2137 7ff7c193f1c3-7ff7c193f1cb 2134->2137 2148 7ff7c193ef35-7ff7c193ef42 call 7ff7c1930198 2136->2148 2149 7ff7c193ef24-7ff7c193ef33 2136->2149 2137->2041 2175 7ff7c193f301 2138->2175 2176 7ff7c193f2f1-7ff7c193f2ff 2138->2176 2164 7ff7c193f13a-7ff7c193f142 2141->2164 2151 7ff7c193f164-7ff7c193f173 2142->2151 2146->2094 2162 7ff7c193ef48-7ff7c193ef4e 2148->2162 2149->2162 2150->2117 2151->2046 2166 7ff7c193ef50-7ff7c193ef7d 2162->2166 2167 7ff7c193ef83-7ff7c193ef88 2162->2167 2164->2110 2165 7ff7c193f144-7ff7c193f147 2164->2165 2165->2137 2170 7ff7c193f149 2165->2170 2166->2167 2167->2041 2174 7ff7c193ef8e-7ff7c193efae 2167->2174 2178 7ff7c193f14b 2170->2178 2179 7ff7c193f190-7ff7c193f19b 2170->2179 2187 7ff7c193efc2-7ff7c193eff2 call 7ff7c193a320 2174->2187 2188 7ff7c193efb0-7ff7c193efbf 2174->2188 2177 7ff7c193f303-7ff7c193f308 2175->2177 2176->2177 2183 7ff7c193f30a-7ff7c193f31d call 7ff7c19351b0 2177->2183 2184 7ff7c193f31f-7ff7c193f327 call 7ff7c19360d8 2177->2184 2178->2180 2179->2140 2180->2142 2181->2151 2186 7ff7c193f0e5-7ff7c193f0ee 2181->2186 2194 7ff7c193f32c-7ff7c193f333 2183->2194 2184->2194 2186->2124 2196 7ff7c193eff7-7ff7c193effa 2187->2196 2188->2187 2196->2094
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4879e67e9c90fc4222f33b64c9d2da487b5e0796bcc95086990d7a77d609961
                              • Instruction ID: d42733a7e82855f9abbfe041c20eca51cd97d73856c344dfe7b1af170c839f2a
                              • Opcode Fuzzy Hash: c4879e67e9c90fc4222f33b64c9d2da487b5e0796bcc95086990d7a77d609961
                              • Instruction Fuzzy Hash: 6F421730A0CA498FDBA8EF2CD855A79B7E1FF55314B9401BDE48EC7292DE24EC428751
                              Function 00007FF7C193CFB4 Relevance: .7, Instructions: 693COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2739878ddfba4c99325e82e51ba6c429694d0616291bc383897d0f1e02adeb89
                              • Instruction ID: 8d65a36a2745834b7860dd8323547601d76d5def788e246fec9192f240eb711c
                              • Opcode Fuzzy Hash: 2739878ddfba4c99325e82e51ba6c429694d0616291bc383897d0f1e02adeb89
                              • Instruction Fuzzy Hash: 6B226C3050CB894FE309EF2884651B5F7E1FF85329BD445BED48AC72A6DE28E846C791
                              Function 00007FF7C193D779 Relevance: .5, Instructions: 511COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 541699a80e0c75d7edf808d5259ec53829a8497145fc353044f1ca916cefc956
                              • Instruction ID: 9bcdd98fb4fc753aeb622cb2110eeeddd29548bbdf393c8298563c85ed0cdc21
                              • Opcode Fuzzy Hash: 541699a80e0c75d7edf808d5259ec53829a8497145fc353044f1ca916cefc956
                              • Instruction Fuzzy Hash: 3AF1743460CB864FE31DDB2884A51B5F7E2FF91315B9446BED4CAC72A1DE28E802C791
                              Function 00007FF7C193194D Relevance: .4, Instructions: 433COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4d3a49c685cffbe591f7c7973ad4d633b7e22462bc414b009f676c26984d08af
                              • Instruction ID: ce43fb972f84b46c8a7d87241e815ae3c9b93d5ad2c186e85b4144773119f2b9
                              • Opcode Fuzzy Hash: 4d3a49c685cffbe591f7c7973ad4d633b7e22462bc414b009f676c26984d08af
                              • Instruction Fuzzy Hash: 89D1A160B18A894FE789FB2C8855778FBE2EF4A754F8401BAD04DC7397CD68AC428751
                              Function 00007FF7C19467E8 Relevance: .2, Instructions: 181COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 43d9e97e244467df08a0b964e22290edbcd7204c885000f0351cba560f023322
                              • Instruction ID: bf8ad6f663b64f72896705ecf7d2849b63bf751eb923c39b293235acf78b2793
                              • Opcode Fuzzy Hash: 43d9e97e244467df08a0b964e22290edbcd7204c885000f0351cba560f023322
                              • Instruction Fuzzy Hash: 3B41297160C7890FD71E9A388C661B57BA5EB83220B1582BFD5C7C72D7EC18A81787D2
                              Function 00007FF7C1934F6D Relevance: 1.6, APIs: 1, Instructions: 127memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 889 7ff7c1934f6d-7ff7c193502f VirtualProtect 893 7ff7c1935037-7ff7c193505f 889->893 894 7ff7c1935031 889->894 894->893
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 740892c583aef0ac7995ca0f278fb7715c45ce68daf82112689c1ca84dcafb32
                              • Instruction ID: 2e17f876957fd237a9e899c5cc4af2228023e4b86b17630cb7ca8a40692c530f
                              • Opcode Fuzzy Hash: 740892c583aef0ac7995ca0f278fb7715c45ce68daf82112689c1ca84dcafb32
                              • Instruction Fuzzy Hash: 9A31D63190CA5C5FDB08DF989845AF9BBF1EB96311F04426FD049D3252CB646856CB91
                              Function 00007FF7C193B3D5 Relevance: 1.6, APIs: 1, Instructions: 125memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 895 7ff7c193b3d5-7ff7c1949d6f VirtualProtect 900 7ff7c1949d77-7ff7c1949d9f 895->900 901 7ff7c1949d71 895->901 901->900
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 80276e395dcb180882deebb50d7c315b499430c0ec24c45366f347d7e6d2a4e6
                              • Instruction ID: 6f59c8ec18ae0b881151bc8b35bdaca564d2ed3687bb2e4ab28f2d6b9c4a8c29
                              • Opcode Fuzzy Hash: 80276e395dcb180882deebb50d7c315b499430c0ec24c45366f347d7e6d2a4e6
                              • Instruction Fuzzy Hash: B231F871A0CA5C9FDB18EF5C984A6F9BBE1EB95321F04427FE04AC3291CB616852C791
                              Function 00007FF7C19309C9 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 902 7ff7c19309c9-7ff7c1930a5c FreeConsole 905 7ff7c1930a5e 902->905 906 7ff7c1930a64-7ff7c1930a80 902->906 905->906
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405598535.00007FF7C1930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1930000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID: ConsoleFree
                              • String ID:
                              • API String ID: 771614528-0
                              • Opcode ID: 9516caa066f6ef077190783abeabee84770eacb58aaed1d6e56af1717371848d
                              • Instruction ID: ba36b0dcb7f2b44ee5ea93af29b92947cd5a59270cb04c3d43ce5dc646501136
                              • Opcode Fuzzy Hash: 9516caa066f6ef077190783abeabee84770eacb58aaed1d6e56af1717371848d
                              • Instruction Fuzzy Hash: 6321837090DB4C8FDB59EB58D8496E9BFF0EF56310F04416FD08AC3552DA64684ACB51
                              Function 00007FF7C1A210C9 Relevance: .2, Instructions: 248COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405981178.00007FF7C1A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1a20000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 957865ff62cb62b2b99c3d5cd03f7759ff95fe2734f1cd65be3ab19ed19f5892
                              • Instruction ID: 6acc79fa7807d826835c657ab58e0ec14c949819a547ceff1b790d103d5977b6
                              • Opcode Fuzzy Hash: 957865ff62cb62b2b99c3d5cd03f7759ff95fe2734f1cd65be3ab19ed19f5892
                              • Instruction Fuzzy Hash: DA71573090CBC94FDB96EF2888589A8BBF0FF56314B5901FBD04EC7193DA68A845C391
                              Function 00007FF7C1A20A04 Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1405981178.00007FF7C1A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff7c1a20000_RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5e9115a457bb8814100b4b0ca98f4aa0c9078babcd0d35acb51e6a72be6ad374
                              • Instruction ID: 77afe89a9de21a753aebb68f95491253aca69f679c46e6beb0759e163bcae668
                              • Opcode Fuzzy Hash: 5e9115a457bb8814100b4b0ca98f4aa0c9078babcd0d35acb51e6a72be6ad374
                              • Instruction Fuzzy Hash: 2FE0E531A046288ADB60EA48CC81BD9B3B1EB85210F0041E6D44DA3241CA306A84CB82

                              Execution Graph

                              Execution Coverage:11%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:4.9%
                              Total number of Nodes:61
                              Total number of Limit Nodes:5
                              execution_graph 33151 6e642a0 33152 6e642b0 33151->33152 33153 6e642f2 33152->33153 33154 6e6439c 33152->33154 33156 6e6434a CallWindowProcW 33153->33156 33157 6e642f9 33153->33157 33158 6e61164 33154->33158 33156->33157 33159 6e6116f 33158->33159 33161 6e62c59 33159->33161 33162 6e6128c CallWindowProcW 33159->33162 33162->33161 33203 6e61cf0 33204 6e61cf6 CreateWindowExW 33203->33204 33206 6e61e14 33204->33206 33206->33206 33207 6e66a10 33208 6e66a75 33207->33208 33209 6e66ed8 WaitMessage 33208->33209 33210 6e66ac2 33208->33210 33209->33208 33163 109d044 33164 109d05c 33163->33164 33165 109d0b6 33164->33165 33166 6e61164 CallWindowProcW 33164->33166 33173 6e62bf8 33164->33173 33177 6e62ba0 33164->33177 33182 6e61e98 33164->33182 33187 6e61ea8 33164->33187 33191 6e61ef8 33164->33191 33196 6e610e8 33164->33196 33166->33165 33174 6e62c01 33173->33174 33176 6e62c59 33174->33176 33200 6e6128c CallWindowProcW 33174->33200 33178 6e62bae 33177->33178 33180 6e62bf3 33177->33180 33178->33165 33181 6e62c59 33180->33181 33201 6e6128c CallWindowProcW 33180->33201 33183 6e61f1b 33182->33183 33184 6e61ea6 33182->33184 33183->33165 33185 6e61164 CallWindowProcW 33184->33185 33186 6e61eef 33185->33186 33186->33165 33188 6e61eae 33187->33188 33189 6e61164 CallWindowProcW 33188->33189 33190 6e61eef 33189->33190 33190->33165 33192 6e61eea 33191->33192 33195 6e61f02 33191->33195 33193 6e61164 CallWindowProcW 33192->33193 33194 6e61eef 33193->33194 33194->33165 33195->33165 33198 6e610ed 33196->33198 33199 6e62c59 33198->33199 33202 6e6128c CallWindowProcW 33198->33202 33200->33176 33201->33181 33202->33199 33211 6e66478 33212 6e664a0 33211->33212 33215 6e664cc 33211->33215 33213 6e664a9 33212->33213 33216 6e65944 33212->33216 33217 6e6594f 33216->33217 33218 6e667c3 33217->33218 33220 6e65960 33217->33220 33218->33215 33221 6e667f8 OleInitialize 33220->33221 33223 6e6685a 33221->33223 33223->33218 33224 10e70b0 33225 10e70f4 CheckRemoteDebuggerPresent 33224->33225 33226 10e7136 33225->33226

                              Executed Functions

                              Function 06650040 Relevance: 3.1, Instructions: 3076COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a64bd9229bf4630af915a8f8f9f12d88b1e34bf5ed9d5366f1e3a8ff7f8fccfc
                              • Instruction ID: 2911b69a9a2893a0c5400d6db8f712da9ee1b2daa9987132dd67c77602a9a8b0
                              • Opcode Fuzzy Hash: a64bd9229bf4630af915a8f8f9f12d88b1e34bf5ed9d5366f1e3a8ff7f8fccfc
                              • Instruction Fuzzy Hash: 2F630A31D10B1A8ADB11EF68C990699F7B1FF99300F15C69AE45977221FB70AAC4CF81
                              Function 066533F8 Relevance: 2.3, Instructions: 2326COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7dc06357714d6f7fbc48144d571237084122121013eb81d67cd0b3e09b22a74e
                              • Instruction ID: 6844e5a977578ea76603255aae6375dbde365e3dc5f98752322af789a3329d15
                              • Opcode Fuzzy Hash: 7dc06357714d6f7fbc48144d571237084122121013eb81d67cd0b3e09b22a74e
                              • Instruction Fuzzy Hash: 0933FB31D106198EDB11EF68C8806ADF7B1FF99300F25C69AD459BB211EB70AAD5CF81
                              Function 06E66A10 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1019 6e66a10-6e66a73 1020 6e66a75-6e66a9f 1019->1020 1021 6e66aa2-6e66ac0 1019->1021 1020->1021 1026 6e66ac2-6e66ac4 1021->1026 1027 6e66ac9-6e66b00 1021->1027 1028 6e66f82-6e66f97 1026->1028 1031 6e66b06-6e66b1a 1027->1031 1032 6e66f31 1027->1032 1033 6e66b1c-6e66b46 1031->1033 1034 6e66b49-6e66b68 1031->1034 1035 6e66f36-6e66f4c 1032->1035 1033->1034 1041 6e66b80-6e66b82 1034->1041 1042 6e66b6a-6e66b70 1034->1042 1035->1028 1045 6e66b84-6e66b9c 1041->1045 1046 6e66ba1-6e66baa 1041->1046 1043 6e66b74-6e66b76 1042->1043 1044 6e66b72 1042->1044 1043->1041 1044->1041 1045->1035 1048 6e66bb2-6e66bb9 1046->1048 1049 6e66bc3-6e66bca 1048->1049 1050 6e66bbb-6e66bc1 1048->1050 1051 6e66bd4 1049->1051 1052 6e66bcc-6e66bd2 1049->1052 1053 6e66bd7-6e66bed call 6e659c0 1050->1053 1051->1053 1052->1053 1055 6e66bf2-6e66bf4 1053->1055 1056 6e66bfa-6e66c01 1055->1056 1057 6e66d49-6e66d4d 1055->1057 1056->1032 1058 6e66c07-6e66c44 1056->1058 1059 6e66d53-6e66d57 1057->1059 1060 6e66f1c-6e66f2f 1057->1060 1068 6e66f12-6e66f16 1058->1068 1069 6e66c4a-6e66c4f 1058->1069 1061 6e66d71-6e66d7a 1059->1061 1062 6e66d59-6e66d6c 1059->1062 1060->1035 1064 6e66d7c-6e66da6 1061->1064 1065 6e66da9-6e66db0 1061->1065 1062->1035 1064->1065 1066 6e66db6-6e66dbd 1065->1066 1067 6e66e4f-6e66e64 1065->1067 1071 6e66dbf-6e66de9 1066->1071 1072 6e66dec-6e66e0e 1066->1072 1067->1068 1081 6e66e6a-6e66e6c 1067->1081 1068->1048 1068->1060 1073 6e66c81-6e66c96 call 6e659e4 1069->1073 1074 6e66c51-6e66c5f call 6e659cc 1069->1074 1071->1072 1072->1067 1109 6e66e10-6e66e1a 1072->1109 1079 6e66c9b-6e66c9f 1073->1079 1074->1073 1088 6e66c61-6e66c7f call 6e659d8 1074->1088 1084 6e66d10-6e66d1d 1079->1084 1085 6e66ca1-6e66cb3 call 6e659f0 1079->1085 1086 6e66e6e-6e66ea7 1081->1086 1087 6e66eb9-6e66ed6 call 6e659c0 1081->1087 1084->1068 1100 6e66d23-6e66d2d call 6e65a00 1084->1100 1112 6e66cb5-6e66ce5 1085->1112 1113 6e66cf3-6e66d0b 1085->1113 1103 6e66eb0-6e66eb7 1086->1103 1104 6e66ea9-6e66eaf 1086->1104 1087->1068 1099 6e66ed8-6e66f04 WaitMessage 1087->1099 1088->1079 1106 6e66f06 1099->1106 1107 6e66f0b 1099->1107 1115 6e66d2f-6e66d37 call 6e65a0c 1100->1115 1116 6e66d3c-6e66d44 call 6e65a18 1100->1116 1103->1068 1104->1103 1106->1107 1107->1068 1120 6e66e32-6e66e4d 1109->1120 1121 6e66e1c-6e66e22 1109->1121 1127 6e66ce7 1112->1127 1128 6e66cec 1112->1128 1113->1035 1115->1068 1116->1068 1120->1067 1120->1109 1125 6e66e26-6e66e28 1121->1125 1126 6e66e24 1121->1126 1125->1120 1126->1120 1127->1128 1128->1113
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514900014.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6e60000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d8342565c6d65a5024200282f816c77f9a9fecfdb17906c2fbdcdf4974e23cbf
                              • Instruction ID: b2ae72413c2478815a89c1ce0338a84f069f5c5407a7de1e37f338d25d2dc3ce
                              • Opcode Fuzzy Hash: d8342565c6d65a5024200282f816c77f9a9fecfdb17906c2fbdcdf4974e23cbf
                              • Instruction Fuzzy Hash: D0F17930E50309CFEB54DFAAC948B9DBBF1BF88344F249168E415AF265DB70A945CB81
                              Function 010E70B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1308 10e70b0-10e7134 CheckRemoteDebuggerPresent 1310 10e713d-10e7178 1308->1310 1311 10e7136-10e713c 1308->1311 1311->1310
                              APIs
                              • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 010E7127
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2509221471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_10e0000_RegAsm.jbxd
                              Similarity
                              • API ID: CheckDebuggerPresentRemote
                              • String ID:
                              • API String ID: 3662101638-0
                              • Opcode ID: 64302ef8831852005a0cf1b1497ca97901fa0a292b18d3971530dd66f6e5c982
                              • Instruction ID: d1ec0c044d5acce00875c9ebcc41767de286fb37604bfb188f112062382be27c
                              • Opcode Fuzzy Hash: 64302ef8831852005a0cf1b1497ca97901fa0a292b18d3971530dd66f6e5c982
                              • Instruction Fuzzy Hash: 0A2139B2C003598FDB14CF9AD884BEEFBF5AF49210F14845AE455B7250D778A944CFA1
                              Function 06655B98 Relevance: 1.5, Instructions: 1485COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 81f2cf2e84e4411ece318faa5745cbe4bc5e4207a9036eddad9c06ec47278f1b
                              • Instruction ID: 03409cdf3f4a7ff0a79d1884ed1537436bd5adc00b93b4b12b1fb0435c8decb5
                              • Opcode Fuzzy Hash: 81f2cf2e84e4411ece318faa5745cbe4bc5e4207a9036eddad9c06ec47278f1b
                              • Instruction Fuzzy Hash: 35D24A30E102058FDB64DB68C594A9DB7B2FF89310F55C5AAD849AB361EB31ED81CF90
                              Function 06650006 Relevance: 1.2, Instructions: 1172COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f1f60ca58884d79a3d32cf660e57b475993e0d2070a8e64efaf7ba2986c42a6f
                              • Instruction ID: aa1b24b26bb375a258c55206dcdf9f0a64127af13b8546fd91c0f24ec48d1f16
                              • Opcode Fuzzy Hash: f1f60ca58884d79a3d32cf660e57b475993e0d2070a8e64efaf7ba2986c42a6f
                              • Instruction Fuzzy Hash: 51C2F831D10B1A8ADB11EF68C9406A9F7B1FF99300F15D69AE45877221FB70AAD4CF81
                              Function 06659E28 Relevance: .8, Instructions: 812COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b74e76e3dd36ee5c54350f904da511e5874055ae8b05e61d137bf42939b5c327
                              • Instruction ID: f111be1bc0f323c431b0cbd33b9c9b1792e30afb38f17f68e5434e748eb227be
                              • Opcode Fuzzy Hash: b74e76e3dd36ee5c54350f904da511e5874055ae8b05e61d137bf42939b5c327
                              • Instruction Fuzzy Hash: 6662AD30A102059FDB64DBA8D595BADB7F2FF88310F158669E806EB350DB35EC42CB90
                              Function 0665EA68 Relevance: .8, Instructions: 770COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 18e73d9f9cd3386408da5c12f28bbc6682d19f8a867aa7dacdb0aaad89d732da
                              • Instruction ID: 5e5ff7d9613f5ec903804ca6e849c5af64fc8e396d08a93ca7546db8133c6a2e
                              • Opcode Fuzzy Hash: 18e73d9f9cd3386408da5c12f28bbc6682d19f8a867aa7dacdb0aaad89d732da
                              • Instruction Fuzzy Hash: 2D52A170E102098FEF64DBA8D5817ADB7B2FB85310F21852AE855EB341DB35DD81CB91
                              Function 0665B5B8 Relevance: .5, Instructions: 470COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0adfa4f86d8f23786506d4c5e4c4057a3f0128685cf6238aba66c1393e768d90
                              • Instruction ID: d12dcf50da15d7334d358ed0058641de0158ed66786dd209b7266d0498bac765
                              • Opcode Fuzzy Hash: 0adfa4f86d8f23786506d4c5e4c4057a3f0128685cf6238aba66c1393e768d90
                              • Instruction Fuzzy Hash: 8702BD30B1020A9FDB54EB69D4A17AEB7A2FF84310F258569D8059B395DB71EC82CB90
                              Function 06658BC0 Relevance: 1.7, Strings: 1, Instructions: 425COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1131 6658bc0-6658bd3 1132 6658bdd-6658be0 1131->1132 1133 6658bf4-6658bf7 1132->1133 1134 6658be2-6658be9 1132->1134 1137 6658bf9-6658c03 1133->1137 1138 6658c08-6658c0b 1133->1138 1135 6658cc2-6658cc9 1134->1135 1136 6658bef 1134->1136 1136->1133 1137->1138 1139 6658c2d-6658c30 1138->1139 1140 6658c0d-6658c11 1138->1140 1144 6658c32-6658c39 1139->1144 1145 6658c3a-6658c3d 1139->1145 1142 6658c17-6658c1f 1140->1142 1143 6658cca-6658d04 1140->1143 1142->1143 1146 6658c25-6658c28 1142->1146 1155 6658d06-6658d09 1143->1155 1147 6658c3f-6658c43 1145->1147 1148 6658c5b-6658c5e 1145->1148 1146->1139 1147->1143 1149 6658c49-6658c51 1147->1149 1150 6658c60-6658c64 1148->1150 1151 6658c78-6658c7b 1148->1151 1149->1143 1153 6658c53-6658c56 1149->1153 1150->1143 1154 6658c66-6658c6e 1150->1154 1156 6658c95-6658c98 1151->1156 1157 6658c7d-6658c81 1151->1157 1153->1148 1154->1143 1158 6658c70-6658c73 1154->1158 1159 6658d17-6658d1a 1155->1159 1160 6658d0b-6658d12 1155->1160 1162 6658cb0-6658cb2 1156->1162 1163 6658c9a-6658cab 1156->1163 1157->1143 1161 6658c83-6658c8b 1157->1161 1158->1151 1164 6658d1c-6658d23 1159->1164 1165 6658d28-6658d2b 1159->1165 1160->1159 1161->1143 1166 6658c8d-6658c90 1161->1166 1167 6658cb4 1162->1167 1168 6658cb9-6658cbc 1162->1168 1163->1162 1164->1165 1169 6659014-6659017 1165->1169 1170 6658d31-6658ec5 1165->1170 1166->1156 1167->1168 1168->1132 1168->1135 1172 6659021-6659024 1169->1172 1173 6659019-665901e 1169->1173 1224 6658ffe-6659011 1170->1224 1225 6658ecb-6658ed2 1170->1225 1172->1170 1174 665902a-665902d 1172->1174 1173->1172 1176 6659047-665904a 1174->1176 1177 665902f-6659040 1174->1177 1178 665904c-665905d 1176->1178 1179 6659068-665906b 1176->1179 1182 665906d-6659080 1177->1182 1187 6659042 1177->1187 1178->1164 1188 6659063 1178->1188 1181 6659083-6659086 1179->1181 1179->1182 1181->1170 1186 665908c-665908f 1181->1186 1190 6659091-66590a2 1186->1190 1191 66590ad-66590b0 1186->1191 1187->1176 1188->1179 1190->1164 1201 66590a8 1190->1201 1193 66590b2-66590c3 1191->1193 1194 66590ce-66590d1 1191->1194 1193->1164 1203 66590c9 1193->1203 1195 66590d3-66590e4 1194->1195 1196 66590ef-66590f1 1194->1196 1195->1178 1206 66590ea 1195->1206 1199 66590f3 1196->1199 1200 66590f8-66590fb 1196->1200 1199->1200 1200->1155 1205 6659101-665910a 1200->1205 1201->1191 1203->1194 1206->1196 1226 6658f86-6658f8d 1225->1226 1227 6658ed8-6658f0b 1225->1227 1226->1224 1229 6658f8f-6658fc2 1226->1229 1237 6658f10-6658f51 1227->1237 1238 6658f0d 1227->1238 1240 6658fc4 1229->1240 1241 6658fc7-6658ff4 1229->1241 1249 6658f53-6658f64 1237->1249 1250 6658f69-6658f70 1237->1250 1238->1237 1240->1241 1241->1205 1241->1224 1249->1205 1251 6658f78-6658f7a 1250->1251 1251->1205
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID: $
                              • API String ID: 0-3993045852
                              • Opcode ID: a00b4c6ebba385335c86367e0d9f544ff19b65eb8f61a507b6807c5101aa140b
                              • Instruction ID: 1841102dfee9a4ac93730614bb74d7419db943d53926c2d0ac3a5a24bc477711
                              • Opcode Fuzzy Hash: a00b4c6ebba385335c86367e0d9f544ff19b65eb8f61a507b6807c5101aa140b
                              • Instruction Fuzzy Hash: 57E1D175F00228CFDB50DBA4C4516AEBBB2FF88320F21856AD815AB344DB35EC46CB90
                              Function 06E61CE5 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1253 6e61ce5-6e61cec 1254 6e61cee 1253->1254 1255 6e61d69-6e61d70 1253->1255 1257 6e61cf6-6e61d56 1254->1257 1258 6e61cf0-6e61cf5 1254->1258 1256 6e61d73-6e61dab 1255->1256 1261 6e61db3-6e61e12 CreateWindowExW 1256->1261 1259 6e61d61-6e61d68 1257->1259 1260 6e61d58-6e61d5e 1257->1260 1258->1257 1259->1255 1259->1256 1260->1259 1262 6e61e14-6e61e1a 1261->1262 1263 6e61e1b-6e61e53 1261->1263 1262->1263 1267 6e61e55-6e61e58 1263->1267 1268 6e61e60 1263->1268 1267->1268 1269 6e61e61 1268->1269 1269->1269
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E61E02
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514900014.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6e60000_RegAsm.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: dbdcb07a884706e6ed68c63f7452dfe41a7a019b608891cff37de1a9c86bfd6d
                              • Instruction ID: bf7a255e15864924230d8fa4350f3d266d49a4e6dc4fa9f37b6e5292e5b799a6
                              • Opcode Fuzzy Hash: dbdcb07a884706e6ed68c63f7452dfe41a7a019b608891cff37de1a9c86bfd6d
                              • Instruction Fuzzy Hash: 1451F1B1D003499FDB15CF9AC884ADEBFF6BF48350F64812AE819AB210D7709845CF90
                              Function 06E61CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1270 6e61cf0-6e61d56 1272 6e61d61-6e61d68 1270->1272 1273 6e61d58-6e61d5e 1270->1273 1274 6e61d73-6e61e12 CreateWindowExW 1272->1274 1275 6e61d69-6e61d70 1272->1275 1273->1272 1277 6e61e14-6e61e1a 1274->1277 1278 6e61e1b-6e61e53 1274->1278 1275->1274 1277->1278 1282 6e61e55-6e61e58 1278->1282 1283 6e61e60 1278->1283 1282->1283 1284 6e61e61 1283->1284 1284->1284
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E61E02
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514900014.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6e60000_RegAsm.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: f4d42cba603300620844baaec1fc22a40c7dbf2453a048b1201e0c12f63a7499
                              • Instruction ID: bc8731cf3fcbad6f9efad5901a8ebc762dfb8d64c0f29bda920e92a88e93f7ab
                              • Opcode Fuzzy Hash: f4d42cba603300620844baaec1fc22a40c7dbf2453a048b1201e0c12f63a7499
                              • Instruction Fuzzy Hash: 7141B0B1D103499FDB15CF9AC884ADEBBB5BF48354F64812AE819AB210D774A885CF90
                              Function 06E6128C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1285 6e6128c-6e642ec 1288 6e642f2-6e642f7 1285->1288 1289 6e6439c-6e643bc call 6e61164 1285->1289 1291 6e6434a-6e64382 CallWindowProcW 1288->1291 1292 6e642f9-6e64330 1288->1292 1296 6e643bf-6e643cc 1289->1296 1294 6e64384-6e6438a 1291->1294 1295 6e6438b-6e6439a 1291->1295 1299 6e64332-6e64338 1292->1299 1300 6e64339-6e64348 1292->1300 1294->1295 1295->1296 1299->1300 1300->1296
                              APIs
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 06E64371
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514900014.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6e60000_RegAsm.jbxd
                              Similarity
                              • API ID: CallProcWindow
                              • String ID:
                              • API String ID: 2714655100-0
                              • Opcode ID: 1abe775833c259187c5c468e03a4737232409d5d86b04f8ec507b8bf5a3f1215
                              • Instruction ID: d84c8bab6bffb0e8d6f3839bf2207c5990f9205beb37d3ad12cb616ac5705b59
                              • Opcode Fuzzy Hash: 1abe775833c259187c5c468e03a4737232409d5d86b04f8ec507b8bf5a3f1215
                              • Instruction Fuzzy Hash: 7F410BB5940305CFDB54CF5AC448BAABBF5FF88314F24C459E519AB361D774A841CBA0
                              Function 010E70A8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1302 10e70a8-10e7134 CheckRemoteDebuggerPresent 1304 10e713d-10e7178 1302->1304 1305 10e7136-10e713c 1302->1305 1305->1304
                              APIs
                              • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 010E7127
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2509221471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_10e0000_RegAsm.jbxd
                              Similarity
                              • API ID: CheckDebuggerPresentRemote
                              • String ID:
                              • API String ID: 3662101638-0
                              • Opcode ID: 4a979faa2ac39aa81aab0d78848cb32aaddb8e6d49ceefb7b3c1b176e553153c
                              • Instruction ID: 1ea8805439c1412bc95fb05322a2297613da66048f02473bd1553568e75200d0
                              • Opcode Fuzzy Hash: 4a979faa2ac39aa81aab0d78848cb32aaddb8e6d49ceefb7b3c1b176e553153c
                              • Instruction Fuzzy Hash: ED212772C002598FDB14CF9AD884BEEBBF5AF48220F24846AD455B7250C7789945CF60
                              Function 06E65960 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1314 6e65960-6e66853 OleInitialize 1317 6e6685a 1314->1317 1318 6e66863-6e66880 1317->1318 1319 6e6685c-6e66862 1317->1319 1319->1318
                              APIs
                              • OleInitialize.OLE32(00000000), ref: 06E6684D
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514900014.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6e60000_RegAsm.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: 2af86b5ed72fdd8727ac4fd94185f1a10d9d7308686d10817f3dbd6a8ae80495
                              • Instruction ID: 6f314a25e26d6bd740880eaed67897dfb92ea036319f3b97411bb8f10ad694fd
                              • Opcode Fuzzy Hash: 2af86b5ed72fdd8727ac4fd94185f1a10d9d7308686d10817f3dbd6a8ae80495
                              • Instruction Fuzzy Hash: FD1145B1C003498FDB20DF9AD444BDEBBF4EB48320F208429E519A7300D374A944CFA5
                              Function 06E667F1 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1322 6e667f1-6e667f6 1323 6e667fe-6e66853 OleInitialize 1322->1323 1324 6e667f8-6e667fd 1322->1324 1325 6e6685a 1323->1325 1324->1323 1326 6e66863-6e66880 1325->1326 1327 6e6685c-6e66862 1325->1327 1327->1326
                              APIs
                              • OleInitialize.OLE32(00000000), ref: 06E6684D
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514900014.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6e60000_RegAsm.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: 132d189e355bb5728be39ec30a05aa601c8e105b182c18e6f8ee1148381bde88
                              • Instruction ID: 5e1b35fa7fb23b59947f7770921d8e6f4c76d7b9abd6e797be348b518be0dd4b
                              • Opcode Fuzzy Hash: 132d189e355bb5728be39ec30a05aa601c8e105b182c18e6f8ee1148381bde88
                              • Instruction Fuzzy Hash: B91115B5C103498FDB20DFAAD984BDEBBF4EB48324F248419E518A7210C374A944CFA5
                              Function 0665E500 Relevance: .4, Instructions: 392COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c67d093fc792c305e7b96b96fccfd1d273802a91feed6b92d3bb11671fb501bc
                              • Instruction ID: 24e955e9d7f43a83196fec2b0028e69e8536e9c3bc523417fd7de486125dcf06
                              • Opcode Fuzzy Hash: c67d093fc792c305e7b96b96fccfd1d273802a91feed6b92d3bb11671fb501bc
                              • Instruction Fuzzy Hash: CEE17F30F1030A8FDF65DBA9D4916AEB7B2FF85300F518529E805EB345EB71A942CB91
                              Function 0665EA58 Relevance: .3, Instructions: 301COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8d151c14cef7d54e6d93932f8226d196f1b1e2932034021ac0b4436cad144420
                              • Instruction ID: b5d914c498f7da6b5e886bfcbe12270e5da7bf23554de37f63804eb9dc030205
                              • Opcode Fuzzy Hash: 8d151c14cef7d54e6d93932f8226d196f1b1e2932034021ac0b4436cad144420
                              • Instruction Fuzzy Hash: 69A1E970F102098FEF64DB6CC5917AEB7B2FB89710F214525E84AEB381DA36DD818B51
                              Function 0665C980 Relevance: .2, Instructions: 231COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ad0249851807134f67710b16fd9a7df630ec72fc2707e91938253e2bdb891bd6
                              • Instruction ID: d60593b50fc229c654e5339b1ccc6075cf92b11dd0ebf06f058827f9a280024f
                              • Opcode Fuzzy Hash: ad0249851807134f67710b16fd9a7df630ec72fc2707e91938253e2bdb891bd6
                              • Instruction Fuzzy Hash: 19915371B6020A8FDB64EB69D85176EB7F2FF88300F508569C909EB354EF709D428B91
                              Function 06659620 Relevance: .2, Instructions: 229COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a55a02325818118e28d4a7f1a126cf649d2edbcf8302f714aed827a5adbe6930
                              • Instruction ID: 0ec2af5ed3393d5c5aa53346dc83974a4646756551f7c73508f276475a14ad6e
                              • Opcode Fuzzy Hash: a55a02325818118e28d4a7f1a126cf649d2edbcf8302f714aed827a5adbe6930
                              • Instruction Fuzzy Hash: 6D61B171F001118FDB559A6ECC8066EBADBAFC4720F654539D80ADB360DEA5EC0687D1
                              Function 066576C0 Relevance: .2, Instructions: 223COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4d77b75e7c75c0a26b9852d1ad6603fbcb9d9f13b004b574f37d473a4f08f2bc
                              • Instruction ID: b001c6896cf8fe5fcfcf2481b27f2cbf51fc31b048bf29be6a31f1e646c5eb4a
                              • Opcode Fuzzy Hash: 4d77b75e7c75c0a26b9852d1ad6603fbcb9d9f13b004b574f37d473a4f08f2bc
                              • Instruction Fuzzy Hash: D3814D74B102099FDB54DBA8D4A17AE7BA7FF89300F118429D809EB384EE34DC428B91
                              Function 066576D0 Relevance: .2, Instructions: 218COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8978d446a3ecbf0457ffdd1deddd7ba0a1745d008d2a1e44239e42c2d6786c99
                              • Instruction ID: 4e1379dfbf43a89b95a913e83d5df818551aff3fc22b175932996ded5015fb5d
                              • Opcode Fuzzy Hash: 8978d446a3ecbf0457ffdd1deddd7ba0a1745d008d2a1e44239e42c2d6786c99
                              • Instruction Fuzzy Hash: A3814F34B102099FDB54DBA9D46576E7BB7FF89300F118529D809EB384EE35EC428B91
                              Function 066579DC Relevance: .2, Instructions: 218COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e8cf459a3b2db396ce1450158ddcbde0814ef3594a4ec979f27cfdd22135e521
                              • Instruction ID: 12fcce39d8a6027f699a2dcf7acbd43da4d4ec994f0c3467d184f520481a9cb7
                              • Opcode Fuzzy Hash: e8cf459a3b2db396ce1450158ddcbde0814ef3594a4ec979f27cfdd22135e521
                              • Instruction Fuzzy Hash: 34912C34E106198FDB60DF68C890B9DBBB1FF89310F208695D559BB381DB70AA85CF91
                              Function 066579F0 Relevance: .2, Instructions: 210COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5c84d2aaf887f293d98e24b1b825318c30583516b7c60b31795c3efd4791bfcc
                              • Instruction ID: cdd47cd9073a40e6a52e77ce40b8a75d638bd40d8f405fd25c5dfe39e0a9c45d
                              • Opcode Fuzzy Hash: 5c84d2aaf887f293d98e24b1b825318c30583516b7c60b31795c3efd4791bfcc
                              • Instruction Fuzzy Hash: B5912C34E106198BDF60DF68C890B9DBBB1FF89310F208599D559BB341DB70AA85CF90
                              Function 06657F88 Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0ad78758c4d9d4590cfcf1227dc6559a06e00f45d4b1273872cd116533f89614
                              • Instruction ID: 8d4e68565fc322bb67f03f80405db9afff2ba2266d2c702a34ed6028c8216c39
                              • Opcode Fuzzy Hash: 0ad78758c4d9d4590cfcf1227dc6559a06e00f45d4b1273872cd116533f89614
                              • Instruction Fuzzy Hash: FD619131F102199FEB549BA5C8157AEBBF2FF88700F20842AE506AB395DF758C458F90
                              Function 0665C97A Relevance: .2, Instructions: 166COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f1daf452783040c0fc547ea9f853d1d6e4083135a3b61444ddfb133db74b217b
                              • Instruction ID: c580bb0798641c36135f91faa615e1e3fee97b7dc573ea62b8edf26369eead39
                              • Opcode Fuzzy Hash: f1daf452783040c0fc547ea9f853d1d6e4083135a3b61444ddfb133db74b217b
                              • Instruction Fuzzy Hash: 47516671B602069FDB64EB78D86076EB7F2FB88310F508569C909DB354EE30DD428B95
                              Function 06657F78 Relevance: .1, Instructions: 128COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1173f88c77ba683c2cfb0189c8cfba14ca75735df4790777dbfcde76c5fa817d
                              • Instruction ID: 778535e92f10015d562d32b2f154fbfba4d0906cf2ebc8345a33ea162f650e41
                              • Opcode Fuzzy Hash: 1173f88c77ba683c2cfb0189c8cfba14ca75735df4790777dbfcde76c5fa817d
                              • Instruction Fuzzy Hash: AB41A371F102099FEB559FA5C814BAEBBF6BF88700F208529E506AB395DF748C058F90
                              Function 06658840 Relevance: .1, Instructions: 126COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b22104c7c397e3dd407631819611f672dc6e4715794779883f72640c507e0935
                              • Instruction ID: 91d885976447089020c49896d6c23c6a1a81bc971456997576260797e7bb8282
                              • Opcode Fuzzy Hash: b22104c7c397e3dd407631819611f672dc6e4715794779883f72640c507e0935
                              • Instruction Fuzzy Hash: 60417C31E006199FDF70CE99D882BAFF7B5EB84210F10492EE656D3A40D370E9458B92
                              Function 066559FD Relevance: .1, Instructions: 111COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5d43ede79caf6382d52a1dc1bb43d85de65b9a9be9d5f991db759aceef9690dd
                              • Instruction ID: e0a1cb0e78165c70688f793ae51d83c8e3b941dda345b6fbd7cd67cd153e4fad
                              • Opcode Fuzzy Hash: 5d43ede79caf6382d52a1dc1bb43d85de65b9a9be9d5f991db759aceef9690dd
                              • Instruction Fuzzy Hash: 27310530B002068FDB55AB34C4A97AF7BA2BB89600F554568D847DB349DE35CC46CBE1
                              Function 06655A10 Relevance: .1, Instructions: 105COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4521278b8caabbda7c7216776d28d58881eebc53422c1c34c22e261bef9e8a41
                              • Instruction ID: 355c084508101e63d3e5fbc8d5b5471571748af1680e13041991f7469e78e8df
                              • Opcode Fuzzy Hash: 4521278b8caabbda7c7216776d28d58881eebc53422c1c34c22e261bef9e8a41
                              • Instruction Fuzzy Hash: 5631D230B0020A8FDB54AB34C46966F7BA3BB89610F654568D807DB388DE35DC46CBE1
                              Function 066558C0 Relevance: .1, Instructions: 97COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cd76aacf59ee28e52808684e868e17dddfb7c7f429c4815842af052e1ae6525a
                              • Instruction ID: 159cb18fb996e73e68d465dd8f00bf3070e6bd615b9f6e3e8ae85955e582cf39
                              • Opcode Fuzzy Hash: cd76aacf59ee28e52808684e868e17dddfb7c7f429c4815842af052e1ae6525a
                              • Instruction Fuzzy Hash: 29317074E106199FCB15CFA5D49969EBBF2FF89310F10851AE856E7340EB70AC42CB90
                              Function 066558D0 Relevance: .1, Instructions: 91COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1c3d692f1dcf9e334fdf8d9e7c52cef4de5a74b6ec3007360e4b238727155a35
                              • Instruction ID: 1589101abfae9a50f958ec785ab6b7287d6d07ab452b058e188807f190c87990
                              • Opcode Fuzzy Hash: 1c3d692f1dcf9e334fdf8d9e7c52cef4de5a74b6ec3007360e4b238727155a35
                              • Instruction Fuzzy Hash: D7316D74E106199FCB15CFA5C49969EBBF2FF89310F10852AE856E7350EB70AC42CB50
                              Function 06658831 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 91eca09adeca55ebad2960c1b1cb871cb38d13e10a02bfe9f7bd1f5d474b4b21
                              • Instruction ID: cde80d989751fa6f8b0984b5a17788ec54a65539d2c988b48cdd29dafbd44c39
                              • Opcode Fuzzy Hash: 91eca09adeca55ebad2960c1b1cb871cb38d13e10a02bfe9f7bd1f5d474b4b21
                              • Instruction Fuzzy Hash: 3431C131E007159FDB61CEA9CC817AFBBB6FB84200F11492EE555D3A90C770A8458B92
                              Function 066572D8 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37ebc5c6019df107bb04a7777a823dde6c3a6cc2eb66f10280da8602ef18f9b5
                              • Instruction ID: b5369c0977d0235ac60f7b7cb8451fcf1b8a44c9247668757b21150fccfbfee7
                              • Opcode Fuzzy Hash: 37ebc5c6019df107bb04a7777a823dde6c3a6cc2eb66f10280da8602ef18f9b5
                              • Instruction Fuzzy Hash: 53215E76F212159FDB50DFA9D981AAEBBF6FB48710F114025EA05E7340E731DD118B90
                              Function 066572D6 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7ea9c7d8feaba0c3791c4eb3227c1c0d6ac3f90cb7fc0b65c6732a42ab6f79fe
                              • Instruction ID: e5395344aad02699ec1ad5d667768b350adc054972725d88efb21055526f55ca
                              • Opcode Fuzzy Hash: 7ea9c7d8feaba0c3791c4eb3227c1c0d6ac3f90cb7fc0b65c6732a42ab6f79fe
                              • Instruction Fuzzy Hash: E4215076F202169FDB40DFA9D941BADBBF2BB48710F158025EA05E7384E731DD118B90
                              Function 0109D044 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2508739633.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_109d000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 65beed49886a4bce36ca28ff1ba53acb8910b9bac4d8a8139eeca82fc9640cf3
                              • Instruction ID: 9d1df3a3ea34e6e6b178753bc3c155b7faea6277f274626708164342452e18c5
                              • Opcode Fuzzy Hash: 65beed49886a4bce36ca28ff1ba53acb8910b9bac4d8a8139eeca82fc9640cf3
                              • Instruction Fuzzy Hash: 5C2122B1544304EFDF15CF64C9D0B26BBA1EB84314F24C9ADE9894B242C73AD846DB62
                              Function 0665A550 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b7f28691f27d160361898fbc91358d436b4ca86005bce7f703b356f4fc51596
                              • Instruction ID: 635791ce35bcad764f5cba88c33c0af28a5474cecf24aa0758efde6099f35b49
                              • Opcode Fuzzy Hash: 0b7f28691f27d160361898fbc91358d436b4ca86005bce7f703b356f4fc51596
                              • Instruction Fuzzy Hash: 1021B431F201199FDF54EAA9E5656ADB7A7FB84310F118925D805EB344EB31EC428B90
                              Function 06656888 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 48c730690ecf75e2a956a52d4913159f35df1b4411e400950ea8d0fece484c86
                              • Instruction ID: e9cce6b15bf51e100f8f83bf1f5306a44cbb9d51a1b5832e3deba70cf110082d
                              • Opcode Fuzzy Hash: 48c730690ecf75e2a956a52d4913159f35df1b4411e400950ea8d0fece484c86
                              • Instruction Fuzzy Hash: AB11E671E002199FCB54DB79C8412DEBBF6FB8A310F55856AD406EB300EA31DA41CBE0
                              Function 066573E8 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 552b87de578d453ea93e3bef9f094d699ad0b598edb9bf8e749929bf12a2d046
                              • Instruction ID: 3f45c3a9538a8c9f2cc6b1f9df23a430c33d39b49e60068dd24493482e821b01
                              • Opcode Fuzzy Hash: 552b87de578d453ea93e3bef9f094d699ad0b598edb9bf8e749929bf12a2d046
                              • Instruction Fuzzy Hash: 8911A532B101294FDB649668D8246AE7BA7BBC8310F11853AD809E7344DE25DC0287D1
                              Function 0665761F Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 19c7f94903bbc6fb42b02d1fa5caec54a0b02f2bf59e121b472fa13d6bcc4ce3
                              • Instruction ID: fe534dd3d2631cb40c3c30120bc86e44ced779aaa1c2793c28ba3119bd98d87b
                              • Opcode Fuzzy Hash: 19c7f94903bbc6fb42b02d1fa5caec54a0b02f2bf59e121b472fa13d6bcc4ce3
                              • Instruction Fuzzy Hash: 9001DF71B142200FDB61967DC9657AEABDADBC9710F15842AF40ACB385EE25CD0347A1
                              Function 066570A1 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 872716d18fa8c73be519af25571ef8b8d558d1141a5d6a797b1332b921d6194f
                              • Instruction ID: fd1969f82084d90ae41797923f1e9a01f082705801d26cc6e882e639ce01dbdd
                              • Opcode Fuzzy Hash: 872716d18fa8c73be519af25571ef8b8d558d1141a5d6a797b1332b921d6194f
                              • Instruction Fuzzy Hash: 1E21EEB5D01259AFCB10CF9AD985BDEFBB4BB48210F14822AE918A7200C374A954CBA4
                              Function 0109D03F Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2508739633.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_109d000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 84a04388303910470aa15d6927f96486ec1deef55ea9c6be71df9954fbb730d8
                              • Instruction ID: 4d49dff066470ea5680123eaa01ebd3e06ae15de8b039b9376de947b7afc68a5
                              • Opcode Fuzzy Hash: 84a04388303910470aa15d6927f96486ec1deef55ea9c6be71df9954fbb730d8
                              • Instruction Fuzzy Hash: 88110076544280DFCB12CF14C9D0B15BFA1FB84314F28C6A9E8894B652C33AD44ACF61
                              Function 066570A8 Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e653ca8867ce8f40b9c139fa0d44e9006b6b97de3f124646f1ca4549c9cdab0d
                              • Instruction ID: 111c848362155f47054ac5198645f0bce7efe7ac11dc6a61621a41791b94db5e
                              • Opcode Fuzzy Hash: e653ca8867ce8f40b9c139fa0d44e9006b6b97de3f124646f1ca4549c9cdab0d
                              • Instruction Fuzzy Hash: DA11D0B5D01259AFDB10CF9AD884BDEFBB4FB48310F10812AE918A7200C374A954CFA5
                              Function 0665DB38 Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fb3feee06766ad7705c1dda6d29cd575dc4706a21ca8b027e1a476cea5016222
                              • Instruction ID: e416840d537781eeec84f5d3dcf8019b4433c187fd196802433dcc6c15b3db8a
                              • Opcode Fuzzy Hash: fb3feee06766ad7705c1dda6d29cd575dc4706a21ca8b027e1a476cea5016222
                              • Instruction Fuzzy Hash: 4E01F771B246010FD760E678D8A176B77D3EF89710F004926E40EC7394EE21DC024395
                              Function 066573D8 Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae5f704ba3540266d15e7073fe2a868515581ea744187d2a6855a1d6dfd3cc4f
                              • Instruction ID: ffd7aa5d68c36fe481e602f88cbdb0d914d1e0fb0e14c6a7cc9c84a63e33062d
                              • Opcode Fuzzy Hash: ae5f704ba3540266d15e7073fe2a868515581ea744187d2a6855a1d6dfd3cc4f
                              • Instruction Fuzzy Hash: 7D01A236B200255BDB95966CDC217EF7BABABC8300F15453AD909E7384DE259C1347D1
                              Function 06657630 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62d938f954a1ba250d9fc446eea8ea747b4b14d263df87bd8d841721843eda03
                              • Instruction ID: ea55d8c8f89dc46268d3a193c9552e9ffac46ead1a1c7d05c483ad55277118a5
                              • Opcode Fuzzy Hash: 62d938f954a1ba250d9fc446eea8ea747b4b14d263df87bd8d841721843eda03
                              • Instruction Fuzzy Hash: 9601D131B142140FDB64957ED455B2FBADADBC9710F10843AE50EC7340ED61DC0243A1
                              Function 0665DB48 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e72f0963f8b5efe6a6da6afd97f4d875d4c9498ba0662dd1a31cefbe90596927
                              • Instruction ID: 8189ff4fbc68bee296af62346def1fc0b2df7fe7ea475b6d7560bb241c77af30
                              • Opcode Fuzzy Hash: e72f0963f8b5efe6a6da6afd97f4d875d4c9498ba0662dd1a31cefbe90596927
                              • Instruction Fuzzy Hash: A8018C71B245151BDB64EA7CE4A272AB3D6FB89710F108839E50EC7394EE21EC028795
                              Function 0665E750 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 42b08fa6ff6e05745ae5e41e574c8690d89171ed34601892d4fcd3e822271377
                              • Instruction ID: 294504cc0641355b166400987a1cef74476274d0f141e3a0cf8e001766b03dbd
                              • Opcode Fuzzy Hash: 42b08fa6ff6e05745ae5e41e574c8690d89171ed34601892d4fcd3e822271377
                              • Instruction Fuzzy Hash: 9D01F435E103089BEF709668D44579DBBA9EB86320F10493AE90AEB341D632FD01C791
                              Function 06659CA9 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 073314b129a179a34e11a5846236acf2ab345c7fa5c15853e88da2e238adc735
                              • Instruction ID: 00850181a2ca4e9635338a02ebce1386d5e15355848872c113a4bad5dd558ecc
                              • Opcode Fuzzy Hash: 073314b129a179a34e11a5846236acf2ab345c7fa5c15853e88da2e238adc735
                              • Instruction Fuzzy Hash: D3E09271E192C89BCF51C6B0CA4279A3AA99B41304F264AD6D804CB381D236CA018351
                              Function 06657E71 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 49c1549b2dda0de6c59137c9d8ded10100c3eb881e04f33fb010bf181c827aea
                              • Instruction ID: 6aa0444d3b4da7e35dc88ebd34199a1333eaf7c7a78c79aedcff9870f33e8838
                              • Opcode Fuzzy Hash: 49c1549b2dda0de6c59137c9d8ded10100c3eb881e04f33fb010bf181c827aea
                              • Instruction Fuzzy Hash: 72F0DA31A64219DFDB14DB94E869BADBF76BF84701F214119E402A7284CBB41C02CB81
                              Function 06659CB8 Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.2514623050.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6650000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 99eaf142ca84b44b7758b2b24655deb4517eb82ac2963be868c188314192dacd
                              • Instruction ID: 1de367c74c851544b4478390b1313981e2be400b1dfb053dc3859cc0126d5bfd
                              • Opcode Fuzzy Hash: 99eaf142ca84b44b7758b2b24655deb4517eb82ac2963be868c188314192dacd
                              • Instruction Fuzzy Hash: 4DE01271E1428CEBDF50DAB4CA4675A77EDDB41314F218AA5DC08CB341E276DA018781