Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ ENQ186 OI REQUIRE RATE.exe

Overview

General Information

Sample name:RFQ ENQ186 OI REQUIRE RATE.exe
Analysis ID:1568201
MD5:38404ead9ba6e2511ff62d3663221f40
SHA1:9535d30dabd9e3adc3dab77491901bdc7f21f846
SHA256:aaa34da6d7b77f35129ae5bcc6910c8791ece25bf7ba160ed67d6c3397d81293
Tags:AgentTeslaexeRFQuser-cocaman
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Disables UAC (registry)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • RFQ ENQ186 OI REQUIRE RATE.exe (PID: 2828 cmdline: "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" MD5: 38404EAD9BA6E2511FF62D3663221F40)
    • conhost.exe (PID: 1912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • jsc.exe (PID: 7156 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • RegAsm.exe (PID: 3892 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 3852 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 7000 cmdline: C:\Windows\system32\WerFault.exe -u -p 2828 -s 1284 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000006.00000002.3325098337.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000002.3325098337.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000002.3326730589.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2242828331.000002528D415000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 10 entries
            SourceRuleDescriptionAuthorStrings
            0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 13 entries

                    System Summary

                    barindex
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe", ParentImage: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe, ParentProcessId: 2828, ParentProcessName: RFQ ENQ186 OI REQUIRE RATE.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -Force, ProcessId: 4816, ProcessName: powershell.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe", ParentImage: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe, ParentProcessId: 2828, ParentProcessName: RFQ ENQ186 OI REQUIRE RATE.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -Force, ProcessId: 4816, ProcessName: powershell.exe
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 3892, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49699
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe", ParentImage: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe, ParentProcessId: 2828, ParentProcessName: RFQ ENQ186 OI REQUIRE RATE.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -Force, ProcessId: 4816, ProcessName: powershell.exe
                    No Suricata rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: RFQ ENQ186 OI REQUIRE RATE.exeAvira: detected
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}
                    Source: RFQ ENQ186 OI REQUIRE RATE.exeReversingLabs: Detection: 52%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: RFQ ENQ186 OI REQUIRE RATE.exeJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Source: Yara matchFile source: 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2242828331.000002528D415000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ ENQ186 OI REQUIRE RATE.exe PID: 2828, type: MEMORYSTR
                    Source: RFQ ENQ186 OI REQUIRE RATE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdb= source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdbH source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdbh source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdbIL_STUB_PInvoke source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER6B55.tmp.dmp.10.dr
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: global trafficTCP traffic: 192.168.2.6:49699 -> 46.175.148.58:25
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: RegAsm.exe, 00000006.00000002.3326730589.0000000002E16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2243618807.000002529D3E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3325098337.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S

                    System Summary

                    barindex
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d3e1a78.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: initial sampleStatic PE information: Filename: RFQ ENQ186 OI REQUIRE RATE.exe
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348C64F9 NtWriteVirtualMemory,0_2_00007FFD348C64F9
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348C63BA NtProtectVirtualMemory,0_2_00007FFD348C63BA
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348CF1110_2_00007FFD348CF111
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348C75300_2_00007FFD348C7530
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348C5D300_2_00007FFD348C5D30
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348CED300_2_00007FFD348CED30
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348CE4C40_2_00007FFD348CE4C4
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348CC63D0_2_00007FFD348CC63D
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348CADC80_2_00007FFD348CADC8
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348CC4480_2_00007FFD348CC448
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348CD5540_2_00007FFD348CD554
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348CA0650_2_00007FFD348CA065
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348CADF20_2_00007FFD348CADF2
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348CD2560_2_00007FFD348CD256
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348CC2F30_2_00007FFD348CC2F3
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348CC4310_2_00007FFD348CC431
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02C393786_2_02C39378
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02C34A986_2_02C34A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02C39B386_2_02C39B38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02C33E806_2_02C33E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02C3CDB06_2_02C3CDB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02C341C86_2_02C341C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_064756E06_2_064756E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_06473F506_2_06473F50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0647BD086_2_0647BD08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0647DD186_2_0647DD18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_06479AE86_2_06479AE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_06472B006_2_06472B00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_06478BA06_2_06478BA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_064700406_2_06470040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_064732506_2_06473250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_064750006_2_06475000
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2828 -s 1284
                    Source: RFQ ENQ186 OI REQUIRE RATE.exeStatic PE information: No import functions for PE file found
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000000.2084101003.000002528B592000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClarmontFerrand.exe4 vs RFQ ENQ186 OI REQUIRE RATE.exe
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2243618807.000002529D3E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClarmontFerrand.exe4 vs RFQ ENQ186 OI REQUIRE RATE.exe
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2243618807.000002529D3E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs RFQ ENQ186 OI REQUIRE RATE.exe
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2243618807.000002529D3E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUjawoweluquwaremez: vs RFQ ENQ186 OI REQUIRE RATE.exe
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2243618807.000002529D622000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUjawoweluquwaremez: vs RFQ ENQ186 OI REQUIRE RATE.exe
                    Source: RFQ ENQ186 OI REQUIRE RATE.exeBinary or memory string: OriginalFilenameClarmontFerrand.exe4 vs RFQ ENQ186 OI REQUIRE RATE.exe
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d3e1a78.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@12/10@1/1
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1912:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2828
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3v0hxen.3ug.ps1Jump to behavior
                    Source: RFQ ENQ186 OI REQUIRE RATE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: RFQ ENQ186 OI REQUIRE RATE.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RFQ ENQ186 OI REQUIRE RATE.exeReversingLabs: Detection: 52%
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile read: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe"
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2828 -s 1284
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: RFQ ENQ186 OI REQUIRE RATE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: RFQ ENQ186 OI REQUIRE RATE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdb= source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdbH source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.pdbh source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: Microsoft.VisualBasic.pdbIL_STUB_PInvoke source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Drawing.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Management.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Management.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Core.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.ni.pdb source: WER6B55.tmp.dmp.10.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER6B55.tmp.dmp.10.dr

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeUnpacked PE file: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2528b590000.0.unpack .text:ER;.rsrc:R; vs Unknown_Section0:ER;Unknown_Section1:R;
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348CF111 push ebx; retf 0_2_00007FFD348CF32C
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD348C00BD pushad ; iretd 0_2_00007FFD348C00C1
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD34990112 push esp; retf 4810h0_2_00007FFD34990312
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeCode function: 0_2_00007FFD34990479 push 10000004h; retf 0_2_00007FFD349904B9
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile created: \rfq enq186 oi require rate.exe
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile created: \rfq enq186 oi require rate.exe
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile created: \rfq enq186 oi require rate.exe
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile created: \rfq enq186 oi require rate.exe
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile created: \rfq enq186 oi require rate.exe
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile created: \rfq enq186 oi require rate.exe
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile created: \rfq enq186 oi require rate.exeJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile created: \rfq enq186 oi require rate.exeJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile created: \rfq enq186 oi require rate.exeJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile created: \rfq enq186 oi require rate.exeJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: Yara matchFile source: Process Memory Space: RFQ ENQ186 OI REQUIRE RATE.exe PID: 2828, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D3D1000.00000004.00000800.00020000.00000000.sdmp, RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D415000.00000004.00000800.00020000.00000000.sdmp, RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D3D1000.00000004.00000800.00020000.00000000.sdmp, RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D415000.00000004.00000800.00020000.00000000.sdmp, RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeMemory allocated: 2528B7C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeMemory allocated: 252A53D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2C30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4DC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sysJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sysJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeFile opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sysJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7103Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2434Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 3613Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 6227Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 380Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep count: 38 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4904Thread sleep count: 3613 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -99562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -99314s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -99062s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -98936s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -98828s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4904Thread sleep count: 6227 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -98717s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -98608s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -98497s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -98390s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -98280s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -98157s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -98031s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -97906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -97797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -97672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -97562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -97453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -97343s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -97234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -97111s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -96984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -96867s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -96749s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -96503s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -96362s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -96141s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -96025s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -95919s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -95812s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -95703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -95593s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -95484s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -95375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -95265s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -95156s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -95047s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -94937s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -94828s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -94719s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -94609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -94500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -94390s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -94281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -94172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -94062s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -93953s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -93844s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -93734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -93608s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -93481s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -93373s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1976Thread sleep time: -93246s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99314Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98936Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98717Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98608Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98497Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98280Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98157Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97111Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96867Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96749Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96503Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96362Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96025Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95919Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 93953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 93844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 93734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 93608Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 93481Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 93373Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 93246Jump to behavior
                    Source: Amcache.hve.10.drBinary or memory string: VMware
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                    Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.10.drBinary or memory string: vmci.sys
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D3D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.10.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D3D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D3D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
                    Source: RegAsm.exe, 00000006.00000002.3329858117.0000000006210000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(`
                    Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D3D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2242828331.000002528D3D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, --.cs.Net Code: _31C2_322C_3211_31C2 contains injection code
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d3e1a78.3.raw.unpack, --.cs.Net Code: _31C2_322C_3211_31C2 contains injection code
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, --.csReference to suspicious API methods: LoadLibrary((string)((object[])(object)_318F_3208_31CD_321D_318F_31C2)[0])
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, --.csReference to suspicious API methods: GetProcAddress((IntPtr)val3, (string)((object[])(object)_318F_3208_31CD_321D_318F_31C2)[1])
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, --.csReference to suspicious API methods: NtProtectVirtualMemory((IntPtr)val2, ref *(IntPtr*)(&_31EF_A9BB_318F_31C6), ref *(IntPtr*)(&_31D9_31C2_3200_A980_319C), 64u, ref *(uint*)(&_322B_3205))
                    Source: RFQ ENQ186 OI REQUIRE RATE.exe, --.csReference to suspicious API methods: NtWriteVirtualMemory((IntPtr)val2, (IntPtr)_31EF_A9BB_318F_31C6, (byte[])(object)_318F, checked((uint)_318F.Length), (IntPtr)val7)
                    Source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, zOS.csReference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -Force
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F0C008Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeQueries volume information: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Source: C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                    Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                    Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d3e1a78.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3325098337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3326730589.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3326730589.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2243618807.000002529D3E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ ENQ186 OI REQUIRE RATE.exe PID: 2828, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3892, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d3e1a78.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3325098337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3326730589.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2243618807.000002529D3E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ ENQ186 OI REQUIRE RATE.exe PID: 2828, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3892, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4f1780.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d4b6d38.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ ENQ186 OI REQUIRE RATE.exe.2529d3e1a78.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3325098337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3326730589.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3326730589.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2243618807.000002529D3E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ ENQ186 OI REQUIRE RATE.exe PID: 2828, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3892, type: MEMORYSTR
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation
                    1
                    DLL Side-Loading
                    311
                    Process Injection
                    21
                    Disable or Modify Tools
                    2
                    OS Credential Dumping
                    341
                    Security Software Discovery
                    Remote Services1
                    Email Collection
                    1
                    Encrypted Channel
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API
                    Boot or Logon Initialization Scripts1
                    DLL Side-Loading
                    261
                    Virtualization/Sandbox Evasion
                    1
                    Input Capture
                    1
                    Process Discovery
                    Remote Desktop Protocol1
                    Input Capture
                    1
                    Non-Application Layer Protocol
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
                    Process Injection
                    1
                    Credentials in Registry
                    261
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin Shares11
                    Archive Collected Data
                    11
                    Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Deobfuscate/Decode Files or Information
                    NTDS1
                    Application Window Discovery
                    Distributed Component Object Model2
                    Data from Local System
                    Protocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information
                    LSA Secrets1
                    File and Directory Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Software Packing
                    Cached Domain Credentials24
                    System Information Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading
                    DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    RFQ ENQ186 OI REQUIRE RATE.exe53%ReversingLabsWin64.Trojan.AgentTesla
                    RFQ ENQ186 OI REQUIRE RATE.exe100%AviraHEUR/AGEN.1313324
                    RFQ ENQ186 OI REQUIRE RATE.exe100%Joe Sandbox ML
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    46.175.148.58
                    truefalse
                      high
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://upx.sf.netAmcache.hve.10.drfalse
                        high
                        https://account.dyn.com/RFQ ENQ186 OI REQUIRE RATE.exe, 00000000.00000002.2243618807.000002529D3E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3325098337.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          high
                          http://mail.iaa-airferight.comRegAsm.exe, 00000006.00000002.3326730589.0000000002E16000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            46.175.148.58
                            mail.iaa-airferight.comUkraine
                            56394ASLAGIDKOM-NETUAfalse
                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1568201
                            Start date and time:2024-12-04 12:50:07 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 17s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:14
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:RFQ ENQ186 OI REQUIRE RATE.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.expl.evad.winEXE@12/10@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 75%
                            • Number of executed functions: 76
                            • Number of non-executed functions: 4
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 20.189.173.22
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.
                            • VT rate limit hit for: RFQ ENQ186 OI REQUIRE RATE.exe
                            TimeTypeDescription
                            06:50:57API Interceptor22x Sleep call for process: powershell.exe modified
                            06:50:58API Interceptor181x Sleep call for process: RegAsm.exe modified
                            06:51:09API Interceptor1x Sleep call for process: WerFault.exe modified
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            46.175.148.58v58HgfB8Af.exeGet hashmaliciousAgentTeslaBrowse
                              l6F8Xgr0Ov.exeGet hashmaliciousAgentTeslaBrowse
                                SPlVyHiGOz.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                  2bOizaPPDC.exeGet hashmaliciousAgentTeslaBrowse
                                    McEdhqMMhs.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                      55qIbHIAZi.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        tEEa6j67ss.exeGet hashmaliciousAgentTeslaBrowse
                                          RXvVlckUyt.exeGet hashmaliciousAgentTeslaBrowse
                                            LEVER STYLE SEP BUY ORDER & C248SH12.exeGet hashmaliciousAgentTeslaBrowse
                                              PO for fabric forecast.exeGet hashmaliciousAgentTeslaBrowse
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                mail.iaa-airferight.comv58HgfB8Af.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                l6F8Xgr0Ov.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                SPlVyHiGOz.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 46.175.148.58
                                                2bOizaPPDC.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                McEdhqMMhs.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 46.175.148.58
                                                55qIbHIAZi.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 46.175.148.58
                                                tEEa6j67ss.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                RXvVlckUyt.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                LEVER STYLE SEP BUY ORDER & C248SH12.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                PO for fabric forecast.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ASLAGIDKOM-NETUAv58HgfB8Af.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                l6F8Xgr0Ov.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                SPlVyHiGOz.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 46.175.148.58
                                                2bOizaPPDC.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                McEdhqMMhs.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 46.175.148.58
                                                55qIbHIAZi.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 46.175.148.58
                                                tEEa6j67ss.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                RXvVlckUyt.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                LEVER STYLE SEP BUY ORDER & C248SH12.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                PO for fabric forecast.exeGet hashmaliciousAgentTeslaBrowse
                                                • 46.175.148.58
                                                No context
                                                No context
                                                Process:C:\Windows\System32\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.2428139692094424
                                                Encrypted:false
                                                SSDEEP:192:7dkFYxW7z0UnUFaWj3m31TYdzuiFBZ24lO8L:7aFYw7gUnUFaY2JYzuiFBY4lO8L
                                                MD5:E8945237FAD1E645D610091D90DED698
                                                SHA1:40C389F2F6AAEF0335522B46B2A741960765DE3A
                                                SHA-256:AA0BD141E951C2D1696EAD32AC5AF15606F61B13710F7A00BD664A08AB82ADD1
                                                SHA-512:5CAE4152E6A50F13A0B54A77C76B4129A5C16276DE12A5242E7693F5C2B8B2FED20DE9AD4708558CA87C26132D9B2421110B0FA3002296EC96DC1303F1102CC1
                                                Malicious:false
                                                Reputation:low
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.8.6.6.5.7.2.6.3.7.1.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.7.8.6.6.5.8.7.7.9.3.4.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.e.d.6.5.c.9.-.c.e.8.a.-.4.9.a.9.-.9.0.c.c.-.f.d.e.3.c.8.c.6.6.6.a.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.a.f.f.0.f.4.-.8.a.4.0.-.4.7.5.c.-.a.4.4.7.-.d.6.0.4.c.8.b.4.3.7.1.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.R.F.Q. .E.N.Q.1.8.6. . .O.I. . .R.E.Q.U.I.R.E. .R.A.T.E...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.l.a.r.m.o.n.t.F.e.r.r.a.n.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.0.c.-.0.0.0.1.-.0.0.1.5.-.b.f.1.6.-.8.f.c.5.4.2.4.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.f.c.c.a.1.f.1.7.3.6.0.c.6.8.6.1.a.d.b.7.7.1.f.b.9.8.3.e.f.2.5.0.0.0.0.0.0.0.0.!.0.0.0.0.9.5.3.5.d.3.0.d.a.b.d.9.e.3.a.d.c.3.d.a.b.7.7.4.9.1.
                                                Process:C:\Windows\System32\WerFault.exe
                                                File Type:Mini DuMP crash report, 16 streams, Wed Dec 4 11:50:57 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):547300
                                                Entropy (8bit):3.2071040154302533
                                                Encrypted:false
                                                SSDEEP:6144:zOoJgnOSwrN3AS4Se8CgxAqWJZp3pp57GvM/+3ZPd3LqYRzWOJC5DeyxyVhMyJSk:zEOSM8q858QWT
                                                MD5:75893D477F5C841D9CCD4766F8D5D57C
                                                SHA1:8392B6C7C81B6336BC307EEEE942B609B16F83DD
                                                SHA-256:97AB8D352BEE1FEE5A5F068ECD5819675B99E21A9F151671B5BEEAD1AE6E3259
                                                SHA-512:38329B22CDCE1A75209964911FBC4F5482E2CE55571C5E418B44DAACB83CECB2D68E674BF6365B6207D485031869E31734F177E7A820BCFC771520D914BE86D1
                                                Malicious:false
                                                Reputation:low
                                                Preview:MDMP..a..... .......!BPg............................$.......$....(......d!...).......Z..r...........l.......8...........T...........H@..............|J..........hL..............................................................................eJ.......M......Lw......................T............BPg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                Process:C:\Windows\System32\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8670
                                                Entropy (8bit):3.717894868451058
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJ4e6g36Y2DKXdYpgmfVL8prm89beJ9f5Km:R6lXJZ96YXXdMgmfVLWezf1
                                                MD5:711485719EFDD03F389EFEA0BCDC40B1
                                                SHA1:C43446B45756BCF4659AF37638837EC893BA9D8A
                                                SHA-256:20668736DE6FC4F5930DFB853F738B12972505F2A345C2545288D9E7105904BF
                                                SHA-512:E28C708E99B20F6721D01699C7E5EF78222C2B2A0DD8B56CA643501C75A178160954D136F44CB79076E4E81E5BEF6ED705A23124F6BC4FBCABA264ACD10C7327
                                                Malicious:false
                                                Reputation:low
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.2.8.<./.P.i.
                                                Process:C:\Windows\System32\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4853
                                                Entropy (8bit):4.566236034461998
                                                Encrypted:false
                                                SSDEEP:96:uIjfTI7rFk7VBJRC/CXRE0CXMxnaCt+CtWd:uI/Yrm7dRC/CXVCXM1aCt+Cts
                                                MD5:6EA3D396FCB1DB34FAD7AF2F997250D1
                                                SHA1:A37EF6087511A165AF60DD30F4C23B8EEB85689C
                                                SHA-256:A2A57C47EB99C3D9ED31DC04EFC935C5A00EDE4951DA5BE82F6C5304BADFF272
                                                SHA-512:D8BB521CCD76C2DC3AB461AE65BC3F323653AF28D08CF76E9A1634E577029FE7695D393A5822264741569CA6E5206E9791D4DD7700ED29AE3EC22C4EE192DD01
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="616493" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):1.1940658735648508
                                                Encrypted:false
                                                SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                Malicious:false
                                                Preview:@...e................................................@..........
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\System32\WerFault.exe
                                                File Type:MS Windows registry file, NT/2000 or above
                                                Category:dropped
                                                Size (bytes):1835008
                                                Entropy (8bit):4.468985508787238
                                                Encrypted:false
                                                SSDEEP:6144:4zZfpi6ceLPx9skLmb0fnZWSP3aJG8nAgeiJRMMhA2zX4WABluuNjjDH5S:uZHtnZWOKnMM6bFpxj4
                                                MD5:5B45AF7AC0359F95D9B35828788ED6AA
                                                SHA1:74582CACA99A4F7BDADEBDE33E7206A42E7EFC38
                                                SHA-256:C86632E6BBE149E982ACAB17A8A6E7F26EB6FD7C4D81AEBCE1327B3342F296F9
                                                SHA-512:EC533CEFD07A9439E35EDC5E2B9ED6CCF3FC142DE9B23418AEDDB664DAA4F99BD2060BCE05F004608653FD9293A6056C62EA1E1D8B4814F5C1D44B476BB52955
                                                Malicious:false
                                                Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....BF..............................................................................................................................................................................................................................................................................................................................................Z...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.97478388309872
                                                TrID:
                                                • Win64 Executable Console Net Framework (206006/5) 48.58%
                                                • Win64 Executable Console (202006/5) 47.64%
                                                • Win64 Executable (generic) (12005/4) 2.83%
                                                • Generic Win/DOS Executable (2004/3) 0.47%
                                                • DOS Executable Generic (2002/1) 0.47%
                                                File name:RFQ ENQ186 OI REQUIRE RATE.exe
                                                File size:632'891 bytes
                                                MD5:38404ead9ba6e2511ff62d3663221f40
                                                SHA1:9535d30dabd9e3adc3dab77491901bdc7f21f846
                                                SHA256:aaa34da6d7b77f35129ae5bcc6910c8791ece25bf7ba160ed67d6c3397d81293
                                                SHA512:f271f5cc026739d363c1e9ca20cb96f2a9e21e913758de89c8ddd0eeb1b9a3cd683111207f48fb619a30dd86fa3ff2c58b7484846e423ac48dfd9f6508be3e17
                                                SSDEEP:6144:jDQkDtnj6gePeD7wTr7kkOjLitFPijyOnaMLmCKhoUy8KORaKP+479Pj7zemACFC:jDtD22oTr4jmmxaMCDKD347VTsLVY0
                                                TLSH:CDD4235830B1532BCB65C5F598B6996254B6AB111087DF28C3C21BF68BFFBC52172AF0
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....{Og.........."...0.J................ ....@...... ....................................`................................
                                                Icon Hash:00928e8e8686b000
                                                Entrypoint:0x400000
                                                Entrypoint Section:
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows cui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x674F7BBE [Tue Dec 3 21:44:30 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:
                                                Instruction
                                                dec ebp
                                                pop edx
                                                nop
                                                add byte ptr [ebx], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax+eax], al
                                                add byte ptr [eax], al
                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x4ee.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xb44a0xb600e729e44be938916c3e3c8c2071d8b8a5False0.5978708791208791data6.466687415521677IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0xe0000x4ee0x600793f9baed0e0eb4bb3e991d8668f4f26False0.376953125data3.754171490921727IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0xe0a00x264data0.4542483660130719
                                                RT_MANIFEST0xe3040x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 4, 2024 12:51:00.252027035 CET4969925192.168.2.646.175.148.58
                                                Dec 4, 2024 12:51:01.324357986 CET4969925192.168.2.646.175.148.58
                                                Dec 4, 2024 12:51:03.424465895 CET4969925192.168.2.646.175.148.58
                                                Dec 4, 2024 12:51:07.433737040 CET4969925192.168.2.646.175.148.58
                                                Dec 4, 2024 12:51:15.449402094 CET4969925192.168.2.646.175.148.58
                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 4, 2024 12:50:59.867543936 CET5705453192.168.2.61.1.1.1
                                                Dec 4, 2024 12:51:00.093386889 CET53570541.1.1.1192.168.2.6
                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Dec 4, 2024 12:50:59.867543936 CET192.168.2.61.1.1.10x3e21Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false
                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Dec 4, 2024 12:51:00.093386889 CET1.1.1.1192.168.2.60x3e21No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                Click to jump to process

                                                Click to jump to process

                                                Click to dive into process behavior distribution

                                                Click to jump to process

                                                Target ID:0
                                                Start time:06:50:53
                                                Start date:04/12/2024
                                                Path:C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe"
                                                Imagebase:0x2528b590000
                                                File size:632'891 bytes
                                                MD5 hash:38404EAD9BA6E2511FF62D3663221F40
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2242828331.000002528D8F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2242828331.000002528D415000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2243618807.000002529D3E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2243618807.000002529D3E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                Target ID:1
                                                Start time:06:50:53
                                                Start date:04/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff66e660000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:3
                                                Start time:06:50:56
                                                Start date:04/12/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ ENQ186 OI REQUIRE RATE.exe" -Force
                                                Imagebase:0x7ff6e3d50000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:4
                                                Start time:06:50:56
                                                Start date:04/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff66e660000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:5
                                                Start time:06:50:56
                                                Start date:04/12/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                Wow64 process (32bit):
                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                                                Imagebase:
                                                File size:47'584 bytes
                                                MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                Target ID:6
                                                Start time:06:50:56
                                                Start date:04/12/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                                Imagebase:0xc50000
                                                File size:65'440 bytes
                                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3325098337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3325098337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3326730589.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3326730589.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3326730589.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                Target ID:7
                                                Start time:06:50:56
                                                Start date:04/12/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                                Imagebase:0x2f0000
                                                File size:65'440 bytes
                                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:10
                                                Start time:06:50:57
                                                Start date:04/12/2024
                                                Path:C:\Windows\System32\WerFault.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\WerFault.exe -u -p 2828 -s 1284
                                                Imagebase:0x7ff7e5220000
                                                File size:570'736 bytes
                                                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:14%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:14.6%
                                                  Total number of Nodes:41
                                                  Total number of Limit Nodes:4
                                                  execution_graph 10644 7ffd348c96fa 10645 7ffd348c9705 10644->10645 10647 7ffd348dc596 10645->10647 10651 7ffd348c9780 10645->10651 10648 7ffd348dc5a8 10647->10648 10655 7ffd348c96a8 10647->10655 10650 7ffd348dc638 10652 7ffd348dc600 10651->10652 10653 7ffd348dc638 10652->10653 10654 7ffd348c96a8 GetFileAttributesA 10652->10654 10653->10647 10654->10653 10656 7ffd348dc660 10655->10656 10657 7ffd348dc68c 10656->10657 10658 7ffd348dc9cb GetFileAttributesA 10656->10658 10657->10650 10659 7ffd348dca1f 10658->10659 10659->10650 10619 7ffd348c63ba 10620 7ffd348c63c9 NtProtectVirtualMemory 10619->10620 10622 7ffd348c64cf 10620->10622 10623 7ffd348c64f9 10624 7ffd348c6507 NtWriteVirtualMemory 10623->10624 10626 7ffd348c65d7 10624->10626 10631 7ffd348c96a8 10632 7ffd348dc660 10631->10632 10633 7ffd348dc68c 10632->10633 10634 7ffd348dc9cb GetFileAttributesA 10632->10634 10635 7ffd348dca1f 10634->10635 10627 7ffd348c4230 10628 7ffd348c424f FreeConsole 10627->10628 10630 7ffd348c42ce 10628->10630 10640 7ffd348c3964 10641 7ffd348c397a VirtualProtect 10640->10641 10643 7ffd348c3ae1 10641->10643 10660 7ffd348c970d 10662 7ffd348c96f0 10660->10662 10661 7ffd348c9780 GetFileAttributesA 10663 7ffd348dc596 10661->10663 10662->10661 10662->10663 10664 7ffd348dc5a8 10663->10664 10665 7ffd348c96a8 GetFileAttributesA 10663->10665 10666 7ffd348dc638 10665->10666 10636 7ffd348c3991 10637 7ffd348c3a3f VirtualProtect 10636->10637 10639 7ffd348c3ae1 10637->10639

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 7ffd348cc431-7ffd348cc441 1 7ffd348cc3c3-7ffd348cc3f1 0->1 2 7ffd348cc443-7ffd348cc449 0->2 3 7ffd348cc48b-7ffd348cc4bf 2->3 4 7ffd348cc44b-7ffd348cc44e 2->4 11 7ffd348cc4c1-7ffd348cc4c9 3->11 4->3 13 7ffd348cc4cc-7ffd348cc552 11->13 14 7ffd348cc517-7ffd348cc522 11->14 19 7ffd348cc554-7ffd348cc566 13->19 20 7ffd348cc59f-7ffd348cc5ae 13->20 17 7ffd348cc524-7ffd348cc528 14->17 18 7ffd348cc56f-7ffd348cc572 14->18 17->11 21 7ffd348cc52a-7ffd348cc541 17->21 27 7ffd348cc574-7ffd348cc57d 18->27 28 7ffd348cc5bf-7ffd348cc5c1 18->28 22 7ffd348cc56d-7ffd348cc57d 19->22 31 7ffd348cc5af-7ffd348cc5bd 20->31 29 7ffd348cc5c2 21->29 30 7ffd348cc543-7ffd348cc562 21->30 32 7ffd348cc57f-7ffd348cc59d 22->32 27->32 28->29 33 7ffd348cc5c4-7ffd348cc5ce 29->33 34 7ffd348cc60f-7ffd348cc612 29->34 30->31 54 7ffd348cc563-7ffd348cc566 30->54 31->28 32->20 37 7ffd348cc614-7ffd348cc616 34->37 38 7ffd348cc65f-7ffd348cc662 34->38 37->38 40 7ffd348cc664-7ffd348cc672 38->40 41 7ffd348cc6af-7ffd348cc6bd 38->41 45 7ffd348cc6bf-7ffd348cc6c2 40->45 50 7ffd348cc674-7ffd348cc6ae 40->50 41->45 48 7ffd348cc6c4-7ffd348cc70d 45->48 49 7ffd348cc70f-7ffd348cc712 45->49 48->49 52 7ffd348cc714-7ffd348cc72a 49->52 53 7ffd348cc75f-7ffd348cc762 49->53 50->41 67 7ffd348cc777-7ffd348cc77a 52->67 68 7ffd348cc72c-7ffd348cc766 52->68 59 7ffd348cc764-7ffd348cc766 53->59 60 7ffd348cc7af-7ffd348cc7bd 53->60 54->22 65 7ffd348cc76d-7ffd348cc775 59->65 75 7ffd348cc7bf-7ffd348cc7c2 60->75 65->67 72 7ffd348cc77c-7ffd348cc7bd 67->72 73 7ffd348cc7c7-7ffd348cc7c9 67->73 68->65 72->75 87 7ffd348cc817-7ffd348cc822 73->87 88 7ffd348cc7cc-7ffd348cc7ce 73->88 76 7ffd348cc7c4-7ffd348cc7ce 75->76 77 7ffd348cc80f-7ffd348cc812 75->77 89 7ffd348cc7d5-7ffd348cc7d8 76->89 80 7ffd348cc814-7ffd348cc816 77->80 81 7ffd348cc85f-7ffd348cc862 77->81 80->87 93 7ffd348cc864-7ffd348cc866 81->93 94 7ffd348cc8af-7ffd348cc8bd 81->94 103 7ffd348cc824-7ffd348cc849 87->103 104 7ffd348cc86f-7ffd348cc872 87->104 88->89 95 7ffd348cc7da-7ffd348cc7f1 89->95 96 7ffd348cc856 89->96 101 7ffd348cc86d-7ffd348cc86e 93->101 105 7ffd348cc8bf-7ffd348cc8ce 94->105 100 7ffd348cc857-7ffd348cc866 96->100 100->101 101->104 121 7ffd348cc84b-7ffd348cc855 103->121 122 7ffd348cc8c7-7ffd348cc8c9 103->122 104->105 106 7ffd348cc874-7ffd348cc886 104->106 118 7ffd348cc8d5-7ffd348cc8d9 105->118 119 7ffd348cc8db-7ffd348cc916 118->119 120 7ffd348cc956-7ffd348cc9e0 118->120 128 7ffd348cc917-7ffd348cc939 119->128 133 7ffd348cc9ec-7ffd348cca28 120->133 134 7ffd348cc9e2-7ffd348cc9e7 call 7ffd348cadc8 120->134 121->100 127 7ffd348cc8cc-7ffd348cc8ce 122->127 122->128 127->118 139 7ffd348ccc24-7ffd348ccc39 133->139 140 7ffd348cca2e-7ffd348cca37 133->140 134->133 150 7ffd348ccc3b-7ffd348ccc42 139->150 151 7ffd348ccc43-7ffd348ccc4f 139->151 142 7ffd348cca39-7ffd348cca40 140->142 143 7ffd348ccaab-7ffd348ccab0 140->143 142->139 147 7ffd348cca46-7ffd348cca5f 142->147 144 7ffd348ccb22-7ffd348ccb2c 143->144 145 7ffd348ccab2-7ffd348ccabe 143->145 154 7ffd348ccb4e-7ffd348ccb56 144->154 155 7ffd348ccb2e 144->155 145->139 149 7ffd348ccac4-7ffd348ccad7 145->149 152 7ffd348cca89-7ffd348cca97 147->152 153 7ffd348cca61-7ffd348cca87 147->153 156 7ffd348ccb59-7ffd348ccb64 149->156 150->151 152->139 159 7ffd348cca9d-7ffd348ccaa9 152->159 153->152 162 7ffd348ccadc-7ffd348ccadf 153->162 154->156 160 7ffd348ccb33-7ffd348ccb3b call 7ffd348cade8 155->160 156->139 161 7ffd348ccb6a-7ffd348ccb85 156->161 159->142 159->143 167 7ffd348ccb40-7ffd348ccb4c 160->167 161->139 164 7ffd348ccb8b-7ffd348ccb9f 161->164 165 7ffd348ccaeb-7ffd348ccaf6 162->165 166 7ffd348ccae1 162->166 164->139 168 7ffd348ccba5-7ffd348ccbb6 164->168 165->139 169 7ffd348ccafc-7ffd348ccb21 165->169 166->165 167->154 168->139 172 7ffd348ccbb8-7ffd348ccbc7 168->172 173 7ffd348ccbc9-7ffd348ccbd4 172->173 174 7ffd348ccc12-7ffd348ccc23 172->174 173->174 176 7ffd348ccbd6-7ffd348ccc0d call 7ffd348cade8 173->176 176->174
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: _${K_^$}K_^
                                                  • API String ID: 0-1128588802
                                                  • Opcode ID: b3377cc8cb48a45652291225f33d42d79991abc39446973d442fbef920d7e512
                                                  • Instruction ID: 7001cbe8bb48535bde1480319b28d122bba9623fc7386dd5b6a8f62cbd7948bb
                                                  • Opcode Fuzzy Hash: b3377cc8cb48a45652291225f33d42d79991abc39446973d442fbef920d7e512
                                                  • Instruction Fuzzy Hash: 1E32EA22B0D6925BE711AB7CA9F50E6BBE0EF4372470C01BBD18DCB193ED2C78469251

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 181 7ffd348c5d30-7ffd348c7b71 call 7ffd348c7a30 188 7ffd348c7b94-7ffd348c7ba3 181->188 189 7ffd348c7ba5-7ffd348c7bbf call 7ffd348c7a30 call 7ffd348c7a80 188->189 190 7ffd348c7b73-7ffd348c7b89 call 7ffd348c7a30 call 7ffd348c7a80 188->190 199 7ffd348c7b8b-7ffd348c7b92 190->199 200 7ffd348c7bc0-7ffd348c7c10 190->200 199->188 204 7ffd348c7c1c-7ffd348c7c53 200->204 205 7ffd348c7c12-7ffd348c7c17 call 7ffd348c71d8 200->205 208 7ffd348c7c59-7ffd348c7c64 204->208 209 7ffd348c7e4f-7ffd348c7e9f 204->209 205->204 210 7ffd348c7cd8-7ffd348c7cdd 208->210 211 7ffd348c7c66-7ffd348c7c74 208->211 235 7ffd348c7e48-7ffd348c7e4e 209->235 236 7ffd348c7ea1-7ffd348c7eb9 209->236 214 7ffd348c7d50-7ffd348c7d5a 210->214 215 7ffd348c7cdf-7ffd348c7ceb 210->215 211->209 213 7ffd348c7c7a-7ffd348c7c89 211->213 217 7ffd348c7c8b-7ffd348c7cbb 213->217 218 7ffd348c7cbd-7ffd348c7cc8 213->218 219 7ffd348c7d7c-7ffd348c7d84 214->219 220 7ffd348c7d5c-7ffd348c7d69 call 7ffd348c71f8 214->220 215->209 221 7ffd348c7cf1-7ffd348c7d04 215->221 217->218 226 7ffd348c7d09-7ffd348c7d0c 217->226 218->209 223 7ffd348c7cce-7ffd348c7cd6 218->223 224 7ffd348c7d87-7ffd348c7d92 219->224 237 7ffd348c7d6e-7ffd348c7d7a 220->237 221->224 223->210 223->211 224->209 228 7ffd348c7d98-7ffd348c7da8 224->228 231 7ffd348c7d0e-7ffd348c7d1e 226->231 232 7ffd348c7d22-7ffd348c7d2a 226->232 228->209 233 7ffd348c7dae-7ffd348c7dbb 228->233 231->232 232->209 234 7ffd348c7d30-7ffd348c7d4f 232->234 233->209 238 7ffd348c7dc1-7ffd348c7de1 233->238 244 7ffd348c7ed6-7ffd348c7ef5 236->244 245 7ffd348c7ebb-7ffd348c7ec1 236->245 237->219 238->209 243 7ffd348c7de3-7ffd348c7df2 238->243 246 7ffd348c7e3d-7ffd348c7e47 243->246 247 7ffd348c7df4-7ffd348c7dff 243->247 249 7ffd348c7f01-7ffd348c7f55 244->249 248 7ffd348c7ec3-7ffd348c7ed4 245->248 245->249 246->235 247->246 254 7ffd348c7e01-7ffd348c7e38 call 7ffd348c71f8 247->254 248->244 248->245 258 7ffd348c7f57-7ffd348c7f67 249->258 259 7ffd348c7f69-7ffd348c7fa1 249->259 254->246 258->258 258->259 265 7ffd348c7ff8-7ffd348c7fff 259->265 266 7ffd348c7fa3-7ffd348c7fa9 259->266 267 7ffd348c8042-7ffd348c805c 265->267 268 7ffd348c8001-7ffd348c8002 265->268 266->265 269 7ffd348c7fab-7ffd348c7fac 266->269 284 7ffd348c805e-7ffd348c806b 267->284 270 7ffd348c8005-7ffd348c8008 268->270 271 7ffd348c7faf-7ffd348c7fb2 269->271 272 7ffd348c806c-7ffd348c8081 270->272 273 7ffd348c800a-7ffd348c801b 270->273 271->272 275 7ffd348c7fb8-7ffd348c7fc5 271->275 285 7ffd348c808b-7ffd348c80b8 272->285 286 7ffd348c8083-7ffd348c808a 272->286 276 7ffd348c8039-7ffd348c8040 273->276 277 7ffd348c801d-7ffd348c8023 273->277 278 7ffd348c7fc7-7ffd348c7fee 275->278 279 7ffd348c7ff1-7ffd348c7ff6 275->279 276->267 276->270 277->272 280 7ffd348c8025-7ffd348c8035 277->280 278->279 279->265 279->271 280->276 285->284 289 7ffd348c80ba-7ffd348c8111 285->289 286->285
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: d$po{4
                                                  • API String ID: 0-3542949154
                                                  • Opcode ID: b139157f9b26be7e8593359ef2f119afad94791b1168129d82ba2d897043120b
                                                  • Instruction ID: 8a43e995d0fa6dbb41a79a5f762ecd4feab9c27b2348518f13a6cce852ab8e11
                                                  • Opcode Fuzzy Hash: b139157f9b26be7e8593359ef2f119afad94791b1168129d82ba2d897043120b
                                                  • Instruction Fuzzy Hash: 3F225471A1CA4A4FE759EB2884E15B1B7D1EF56314B1842BAD98EC7197DE38FC438380

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 455 7ffd348c63ba-7ffd348c63c7 456 7ffd348c63c9-7ffd348c63d1 455->456 457 7ffd348c63d2-7ffd348c63e3 455->457 456->457 458 7ffd348c63e5-7ffd348c63ed 457->458 459 7ffd348c63ee-7ffd348c64cd NtProtectVirtualMemory 457->459 458->459 462 7ffd348c64d5-7ffd348c64f7 459->462 463 7ffd348c64cf 459->463 463->462
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID: MemoryProtectVirtual
                                                  • String ID:
                                                  • API String ID: 2706961497-0
                                                  • Opcode ID: f4e9f56372430df626338c43ff5869fc7a63cfd075cd2025368e964413017ef5
                                                  • Instruction ID: f3acbaf34415c261e7330c5c738f818fd91afa14b62b2a144c6dd9b42fac3e4e
                                                  • Opcode Fuzzy Hash: f4e9f56372430df626338c43ff5869fc7a63cfd075cd2025368e964413017ef5
                                                  • Instruction Fuzzy Hash: 4541EC3190C7884FD719DB6CD8557E97BF1EB5A321F0442AFD089D3292CA746846C792

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 464 7ffd348c64f9-7ffd348c6505 465 7ffd348c6507-7ffd348c650f 464->465 466 7ffd348c6510-7ffd348c6588 464->466 465->466 470 7ffd348c658a-7ffd348c658f 466->470 471 7ffd348c6592-7ffd348c65d5 NtWriteVirtualMemory 466->471 470->471 472 7ffd348c65d7 471->472 473 7ffd348c65dd-7ffd348c65fa 471->473 472->473
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID: MemoryVirtualWrite
                                                  • String ID:
                                                  • API String ID: 3527976591-0
                                                  • Opcode ID: 0dc729c7ed36ca1f024ad4f6468d5531d154e6054ed431795d1f7adcd04b29f2
                                                  • Instruction ID: 5464698bec04cc8fd5bf411dcc3a367360370d6143e6f946fff2f2fb2635fcb7
                                                  • Opcode Fuzzy Hash: 0dc729c7ed36ca1f024ad4f6468d5531d154e6054ed431795d1f7adcd04b29f2
                                                  • Instruction Fuzzy Hash: 1A41C23190CB488FDB59DF5898956A9BBF0FF6A321F04426FD049D3692CB74A806CB81

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 658 7ffd348cf111-7ffd348cf14b 660 7ffd348cf1dc-7ffd348cf1ef 658->660 661 7ffd348cf151-7ffd348cf196 call 7ffd348ce1f0 call 7ffd348ca4f0 658->661 666 7ffd348cf231-7ffd348cf234 660->666 667 7ffd348cf1f1-7ffd348cf209 660->667 661->660 672 7ffd348cf198-7ffd348cf1b6 661->672 670 7ffd348cf235-7ffd348cf251 666->670 671 7ffd348cf2d6-7ffd348cf2e7 666->671 673 7ffd348cf20b-7ffd348cf22f 667->673 674 7ffd348cf253-7ffd348cf26a call 7ffd348ca4f0 call 7ffd348cac50 667->674 670->674 679 7ffd348cf329-7ffd348cf336 671->679 680 7ffd348cf2e9-7ffd348cf2f9 671->680 672->660 677 7ffd348cf1b8-7ffd348cf1db 672->677 673->666 674->671 688 7ffd348cf26c-7ffd348cf27e 674->688 683 7ffd348cf33c-7ffd348cf34f 679->683 684 7ffd348cf3d3-7ffd348cf3e1 679->684 682 7ffd348cf2fa 680->682 686 7ffd348cf2fb-7ffd348cf309 682->686 687 7ffd348cf353-7ffd348cf375 call 7ffd348ce1f0 683->687 694 7ffd348cf3e6-7ffd348cf3f8 684->694 695 7ffd348cf3e3-7ffd348cf3e5 684->695 686->687 693 7ffd348cf30b-7ffd348cf30e 686->693 687->684 701 7ffd348cf377-7ffd348cf389 687->701 688->682 697 7ffd348cf280 688->697 698 7ffd348cf312-7ffd348cf328 693->698 699 7ffd348cf3fa-7ffd348cf404 694->699 700 7ffd348cf398-7ffd348cf3ab 694->700 695->694 703 7ffd348cf2c6-7ffd348cf2d5 697->703 704 7ffd348cf282-7ffd348cf28a 697->704 698->679 709 7ffd348cf405-7ffd348cf409 699->709 700->684 702 7ffd348cf3ad-7ffd348cf3d0 700->702 701->709 710 7ffd348cf38b 701->710 707 7ffd348cf3d1-7ffd348cf3d2 702->707 704->686 708 7ffd348cf28c-7ffd348cf291 704->708 708->698 711 7ffd348cf293-7ffd348cf2b4 call 7ffd348ca890 708->711 712 7ffd348cf40b-7ffd348cf436 709->712 713 7ffd348cf453-7ffd348cf493 call 7ffd348ce1f0 * 2 call 7ffd348ca4f0 709->713 710->707 714 7ffd348cf38d-7ffd348cf396 call 7ffd348ca890 710->714 711->671 724 7ffd348cf2b6-7ffd348cf2c4 711->724 717 7ffd348cf52c-7ffd348cf53f 712->717 718 7ffd348cf43c-7ffd348cf450 712->718 713->717 736 7ffd348cf499-7ffd348cf4bd 713->736 714->700 726 7ffd348cf581 717->726 727 7ffd348cf541-7ffd348cf556 717->727 718->713 724->703 730 7ffd348cf582-7ffd348cf589 726->730 731 7ffd348cf58b-7ffd348cf58e 727->731 733 7ffd348cf558-7ffd348cf56e 727->733 730->731 734 7ffd348cf5a2-7ffd348cf5ae 731->734 735 7ffd348cf590-7ffd348cf5a0 731->735 733->730 737 7ffd348cf570-7ffd348cf580 733->737 738 7ffd348cf5be-7ffd348cf5c7 734->738 739 7ffd348cf5b0-7ffd348cf5bb 734->739 735->738 737->738 741 7ffd348cf5c9-7ffd348cf5cb 738->741 742 7ffd348cf638-7ffd348cf645 738->742 739->738 743 7ffd348cf647-7ffd348cf693 call 7ffd348ce1f0 * 2 call 7ffd348ca4f0 741->743 744 7ffd348cf5cd 741->744 742->743 749 7ffd348cf799-7ffd348cf7ca 743->749 760 7ffd348cf699-7ffd348cf6b4 743->760 745 7ffd348cf613-7ffd348cf637 744->745 746 7ffd348cf5cf-7ffd348cf5e7 call 7ffd348ca890 744->746 745->742 745->749 758 7ffd348cf7cc-7ffd348cf7f7 749->758 759 7ffd348cf814-7ffd348cf856 call 7ffd348ce1f0 * 2 call 7ffd348ca4f0 749->759 761 7ffd348cf7fd-7ffd348cf813 758->761 762 7ffd348cf98e-7ffd348cf9e3 758->762 759->762 788 7ffd348cf85c-7ffd348cf87a 759->788 764 7ffd348cf6b6-7ffd348cf6b9 760->764 765 7ffd348cf70d-7ffd348cf716 760->765 761->759 785 7ffd348cf9e9-7ffd348cfa3e call 7ffd348ce1f0 * 2 call 7ffd348ca4f0 762->785 786 7ffd348cfab6-7ffd348cfac1 762->786 767 7ffd348cf73a-7ffd348cf74b 764->767 768 7ffd348cf6bb-7ffd348cf6db 764->768 765->749 770 7ffd348cf718-7ffd348cf739 765->770 772 7ffd348cf74c-7ffd348cf760 call 7ffd348cebc0 767->772 768->772 773 7ffd348cf6dd-7ffd348cf6e2 768->773 770->767 777 7ffd348cf763-7ffd348cf76f 772->777 773->777 778 7ffd348cf6e4-7ffd348cf708 call 7ffd348ca890 773->778 777->749 783 7ffd348cf771-7ffd348cf798 777->783 778->765 785->786 819 7ffd348cfa40-7ffd348cfa6b 785->819 796 7ffd348cfac6-7ffd348cfb0b 786->796 797 7ffd348cfac3-7ffd348cfac5 786->797 788->762 791 7ffd348cf880-7ffd348cf89a 788->791 794 7ffd348cf89c-7ffd348cf89f 791->794 795 7ffd348cf8f3 791->795 799 7ffd348cf8a1-7ffd348cf8ba 794->799 800 7ffd348cf920-7ffd348cf962 call 7ffd348cebc0 794->800 801 7ffd348cf8f5-7ffd348cf8fa 795->801 802 7ffd348cf964 795->802 803 7ffd348cfb95-7ffd348cfba7 796->803 804 7ffd348cfb11-7ffd348cfb51 call 7ffd348ce1f0 call 7ffd348ca4f0 796->804 797->796 807 7ffd348cf8bc-7ffd348cf8d3 799->807 808 7ffd348cf8d5-7ffd348cf8e7 799->808 800->802 809 7ffd348cf97b-7ffd348cf98d 801->809 810 7ffd348cf8fc-7ffd348cf91b call 7ffd348ca890 801->810 802->762 806 7ffd348cf966-7ffd348cf979 802->806 820 7ffd348cfbe9-7ffd348cfc18 call 7ffd348cb480 803->820 821 7ffd348cfba9-7ffd348cfbe7 803->821 804->803 833 7ffd348cfb53-7ffd348cfb81 call 7ffd348cc0b8 804->833 806->809 814 7ffd348cf8eb-7ffd348cf8f1 807->814 808->814 810->800 814->795 826 7ffd348cfaaa-7ffd348cfab5 819->826 827 7ffd348cfa6d-7ffd348cfa7f 819->827 837 7ffd348cfc1a-7ffd348cfc40 820->837 838 7ffd348cfc42-7ffd348cfc5e 820->838 821->820 827->786 831 7ffd348cfa81-7ffd348cfaa7 827->831 831->826 839 7ffd348cfb83-7ffd348cfb94 833->839 837->838 842 7ffd348cfd59-7ffd348cfd63 838->842 843 7ffd348cfd69-7ffd348cfd6f 842->843 844 7ffd348cfc63-7ffd348cfc6e 842->844 846 7ffd348cfc74-7ffd348cfcbd 844->846 847 7ffd348cfd70-7ffd348cfdb7 844->847 853 7ffd348cfcda-7ffd348cfcdc 846->853 854 7ffd348cfcbf-7ffd348cfcd8 846->854 855 7ffd348cfcdf-7ffd348cfcec 853->855 854->855 857 7ffd348cfd51-7ffd348cfd56 855->857 858 7ffd348cfcee-7ffd348cfd2e 855->858 857->842 861 7ffd348cfd30-7ffd348cfd4c call 7ffd348cc990 858->861 861->857
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d79faf01ec3d990ef5ef3b2228fc90e88b44c3502568ecbf827ccebbb4e4573f
                                                  • Instruction ID: 56061c8a039f5b08fddf61b9df40fd7aadd2b88cb4e980f561206cc7b4f688cb
                                                  • Opcode Fuzzy Hash: d79faf01ec3d990ef5ef3b2228fc90e88b44c3502568ecbf827ccebbb4e4573f
                                                  • Instruction Fuzzy Hash: 8CA2463060CB4A4FE719DB28C4A44B5BBE1FF96305B1445BFE58AC72A6DE39E846C740
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 26c29b1f11c44a78283a83545c90da37fd810056f5c22801e477e10a367aeb2a
                                                  • Instruction ID: 2e165839bb828d48ed76d54c67836729e87a95dedc9846c718b8a6d5abc4ea25
                                                  • Opcode Fuzzy Hash: 26c29b1f11c44a78283a83545c90da37fd810056f5c22801e477e10a367aeb2a
                                                  • Instruction Fuzzy Hash: 4F723931A0C6864BE76D8B1484A16B67BE1EF93310F1851BDD58ECB5D3DE2CAC86D740
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8934875608c0196ba7b7bd46feea5f2e04bc0ed7366f3819593df02744fce279
                                                  • Instruction ID: 86f9214f06986635838e4849a3889bbc42bade553324adf5acd762407421c6ce
                                                  • Opcode Fuzzy Hash: 8934875608c0196ba7b7bd46feea5f2e04bc0ed7366f3819593df02744fce279
                                                  • Instruction Fuzzy Hash: 4652A630B0EA094FDB68DB2898A567977E1FF5B305F1401BEE54EC7292DE28EC429741
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 777ee9afb19030f10a80b83085563191f49054be5640bd22ccc15c0129734631
                                                  • Instruction ID: c90203dd01ae36a0beb5bf3c85515d9f3d4ff148a80f88eff6d3079583174422
                                                  • Opcode Fuzzy Hash: 777ee9afb19030f10a80b83085563191f49054be5640bd22ccc15c0129734631
                                                  • Instruction Fuzzy Hash: A832883160CB854FE759DB2888A15B5B7E1FFD6301B0445BFE58AC7292EE2DAC42D381
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c43963ff75831e34ec4b031039c81980e152f9ddc325bdc7bdb4a31b5f126fab
                                                  • Instruction ID: 25278c1936e67e002fd27b64e42e7bfbb9d3bf57ae3c661a0387b7ee72329458
                                                  • Opcode Fuzzy Hash: c43963ff75831e34ec4b031039c81980e152f9ddc325bdc7bdb4a31b5f126fab
                                                  • Instruction Fuzzy Hash: EE123B71B0F9894FE36CEB1C88A65A977D1EF9B310B1403BED58DD72B2D92C68064781
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1e9944d46d2234cd844eca13f83ac41c2a4053f553257debe5a38cd0e856da56
                                                  • Instruction ID: 8d8f56bf98db66182c41308b76f2cc35b6d5df48e019a94e6ea9fb38cb9c3430
                                                  • Opcode Fuzzy Hash: 1e9944d46d2234cd844eca13f83ac41c2a4053f553257debe5a38cd0e856da56
                                                  • Instruction Fuzzy Hash: B2D1D321A1E7C60FE3569B3889A10A1BFE1EF5361071942FBC5DACB1D3DA1CA847D352
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c96903e4fff4e9a74fa15c90db54f60fc9956a15320181f271f6ce707e0a6fb4
                                                  • Instruction ID: 0981dbe8723952234617b722bf37b47c9e3a4031442f048ebf4a3d8578918078
                                                  • Opcode Fuzzy Hash: c96903e4fff4e9a74fa15c90db54f60fc9956a15320181f271f6ce707e0a6fb4
                                                  • Instruction Fuzzy Hash: 4AD14931A0CB854FE319CB2988E15B5B7D2FFD6301B1446BFE5C6C72A5DA28E842C781
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4b17e4e44edf7a9d7d94a0d6db63cd7c08220664c1a21a92e286c34737d286de
                                                  • Instruction ID: d613360a1198a78479342088a98e08ddce0e3c174aff9b186ddf7b23da3a8b58
                                                  • Opcode Fuzzy Hash: 4b17e4e44edf7a9d7d94a0d6db63cd7c08220664c1a21a92e286c34737d286de
                                                  • Instruction Fuzzy Hash: 9EA1EC66B0D6D61FE7629B7C59B61E5BBE0DF1332470802FBC189CB193ED1C680A9352

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 294 7ffd348c96a8-7ffd348dc66e 296 7ffd348dc670-7ffd348dc675 294->296 297 7ffd348dc67f-7ffd348dc686 294->297 296->297 298 7ffd348dc688-7ffd348dc68a 297->298 299 7ffd348dc6ef-7ffd348dc6f6 297->299 300 7ffd348dc6d9-7ffd348dc6ec 298->300 301 7ffd348dc68c-7ffd348dc6a5 298->301 302 7ffd348dc738-7ffd348dc743 300->302 303 7ffd348dc6ee 300->303 307 7ffd348dc6c5-7ffd348dc6d8 301->307 308 7ffd348dc6a7-7ffd348dc6be 301->308 305 7ffd348dc749-7ffd348dc7a3 call 7ffd348ce1f0 * 2 call 7ffd348ca4f0 302->305 306 7ffd348dc876-7ffd348dc887 302->306 303->299 305->306 321 7ffd348dc7a9-7ffd348dc7d2 305->321 314 7ffd348dc8c9-7ffd348dc95f 306->314 315 7ffd348dc889-7ffd348dc8a3 306->315 308->307 328 7ffd348dc9ba-7ffd348dca1d GetFileAttributesA 314->328 329 7ffd348dc961-7ffd348dc970 314->329 315->314 323 7ffd348dc7d8 321->323 324 7ffd348dc7d4-7ffd348dc7d6 321->324 325 7ffd348dc7dd-7ffd348dc810 323->325 324->325 325->306 327 7ffd348dc812-7ffd348dc83a 325->327 330 7ffd348dc84a-7ffd348dc854 327->330 331 7ffd348dc83c-7ffd348dc848 327->331 340 7ffd348dca25-7ffd348dca57 call 7ffd348dca73 328->340 341 7ffd348dca1f 328->341 329->328 332 7ffd348dc972-7ffd348dc975 329->332 333 7ffd348dc862-7ffd348dc875 330->333 334 7ffd348dc856-7ffd348dc85f 330->334 331->333 335 7ffd348dc977-7ffd348dc98a 332->335 336 7ffd348dc9af-7ffd348dc9b7 332->336 334->333 338 7ffd348dc98c 335->338 339 7ffd348dc98e-7ffd348dc9a1 335->339 336->328 338->339 339->339 342 7ffd348dc9a3-7ffd348dc9ab 339->342 345 7ffd348dca59 340->345 346 7ffd348dca5e-7ffd348dca72 340->346 341->340 342->336 345->346
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3deea807fc02a1e9837237ac7b8712abce1d8dc74020d15b86809f22783d68f
                                                  • Instruction ID: 36013b4f7120475a9d79786cf8b179d0497e0a0cba68ccfbd9df0ceea4ea8997
                                                  • Opcode Fuzzy Hash: d3deea807fc02a1e9837237ac7b8712abce1d8dc74020d15b86809f22783d68f
                                                  • Instruction Fuzzy Hash: BAD12930609A894FE759DF28C8A56B577E1FF96311F14427EE48FC7292DE38E8428781

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 347 7ffd348c3964-7ffd348c3978 348 7ffd348c39a5-7ffd348c3adf VirtualProtect 347->348 349 7ffd348c397a-7ffd348c398e 347->349 353 7ffd348c3ae7-7ffd348c3b0f 348->353 354 7ffd348c3ae1 348->354 349->348 354->353
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 735abfd12a193282b09bcee7b9b187f84d9ed45d28f1d20215c8344cd6a23be6
                                                  • Instruction ID: 1841221ee78a9ee16446d12252fac4a2074ce3c96a7f719d5b96a50197dcb76a
                                                  • Opcode Fuzzy Hash: 735abfd12a193282b09bcee7b9b187f84d9ed45d28f1d20215c8344cd6a23be6
                                                  • Instruction Fuzzy Hash: DB519A7190E7C84FD7079BB898656E87FB0EF67210F0A41DFD085CB1A3D628591AC7A2

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 355 7ffd348c3991-7ffd348c3adf VirtualProtect 359 7ffd348c3ae7-7ffd348c3b0f 355->359 360 7ffd348c3ae1 355->360 360->359
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: 5432b9c8abf1e38b9f54bfb78cf775375f05a735a2547e345f7c4cbee7044279
                                                  • Instruction ID: 231617c82af181f4bf0bd8ac396f63ee2020e1b60ce32d37b227c772b1bfa1e6
                                                  • Opcode Fuzzy Hash: 5432b9c8abf1e38b9f54bfb78cf775375f05a735a2547e345f7c4cbee7044279
                                                  • Instruction Fuzzy Hash: B9519B7190D7C84FC7069BA898256E87FF0EF67211F0945DFD085CB1A3DA28A81AC762

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 474 7ffd348c4230-7ffd348c42cc FreeConsole 478 7ffd348c42ce 474->478 479 7ffd348c42d4-7ffd348c42fb 474->479 478->479
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID: ConsoleFree
                                                  • String ID:
                                                  • API String ID: 771614528-0
                                                  • Opcode ID: 9fe772f9f06b6bf4d429dbd929a56e1b33e8ef11f23bc5a8711c86c070d17f59
                                                  • Instruction ID: b3f42fedc33f4aa1d11b62a8732fbcba56597d770882b3b8a78d423b30ef36df
                                                  • Opcode Fuzzy Hash: 9fe772f9f06b6bf4d429dbd929a56e1b33e8ef11f23bc5a8711c86c070d17f59
                                                  • Instruction Fuzzy Hash: 8F31A97190CB488FDB65DF59D84A6E97BF0EF66320F00415FD049D3152D6746846CB51

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 480 7ffd34990112-7ffd3499014c 484 7ffd3499014e-7ffd3499015d 480->484 485 7ffd34990160-7ffd34990168 480->485 484->485 487 7ffd34990179-7ffd349901ec 485->487 488 7ffd3499016a-7ffd34990178 485->488 490 7ffd34990236-7ffd3499023b 487->490 491 7ffd349901ee-7ffd34990222 487->491 493 7ffd349903b1-7ffd349903b7 490->493 494 7ffd3499023c-7ffd3499024e 490->494 492 7ffd34990228-7ffd34990231 491->492 491->493 495 7ffd34990233-7ffd34990235 492->495 500 7ffd349903b9-7ffd349903c8 493->500 496 7ffd3499024f-7ffd34990255 494->496 495->490 498 7ffd34990257-7ffd3499026d 496->498 499 7ffd3499028b 496->499 498->493 506 7ffd34990273-7ffd3499027c 498->506 502 7ffd34990307-7ffd34990309 499->502 503 7ffd3499028d 499->503 505 7ffd349903c9-7ffd34990401 500->505 502->493 504 7ffd3499030a-7ffd34990348 502->504 507 7ffd3499028f-7ffd349902a0 503->507 508 7ffd349902d4 503->508 504->500 520 7ffd3499034a-7ffd3499034d 504->520 515 7ffd34990284-7ffd34990286 506->515 507->495 510 7ffd349902a2-7ffd349902b8 507->510 508->493 509 7ffd349902da-7ffd349902f5 508->509 516 7ffd349902f7-7ffd34990306 509->516 510->493 511 7ffd349902be-7ffd349902d1 510->511 511->508 515->516 517 7ffd34990288-7ffd34990289 515->517 516->502 517->496 517->499 520->505 521 7ffd3499034f 520->521 522 7ffd34990396-7ffd349903b0 521->522 523 7ffd34990351-7ffd3499035f 521->523 523->522
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245823652.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd34990000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: A
                                                  • API String ID: 0-3554254475
                                                  • Opcode ID: 2e1148fe8a675597dd859b055100e133d780c1cbaa1956453db9fbbe5bb685ca
                                                  • Instruction ID: b38394505b9860e1b71794333e85518540c9a267e38ebb3d3ef1abf6a241f150
                                                  • Opcode Fuzzy Hash: 2e1148fe8a675597dd859b055100e133d780c1cbaa1956453db9fbbe5bb685ca
                                                  • Instruction Fuzzy Hash: 97A1463190DB898FDB5ACB28C8A55E47BE0FF57304F1901FED059CB19BDA296846C750
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245823652.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd34990000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 67976733ba0848594cacac67946a2f368b776147989614d24525d9dd4977eea5
                                                  • Instruction ID: 8cc88ca46954bf638ac3a654632916a96eda623fe6a940ede10a269953407bae
                                                  • Opcode Fuzzy Hash: 67976733ba0848594cacac67946a2f368b776147989614d24525d9dd4977eea5
                                                  • Instruction Fuzzy Hash: E3D15A71A0D7C54FEB55DB2888A65A87BE0FF57300F0905FED589CB097DA2D6806C361
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245823652.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd34990000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 25b07686f60f0463256f126bfdad3a63b8e1be5b65713a8804024e4b687996ac
                                                  • Instruction ID: 4a66023b84e9c0629212ce199152f1fa437d1eb041458f08901887142170d574
                                                  • Opcode Fuzzy Hash: 25b07686f60f0463256f126bfdad3a63b8e1be5b65713a8804024e4b687996ac
                                                  • Instruction Fuzzy Hash: 66613B31A0DA894FEB55DB68C8A65A97BF0FF56300B0401FED44EC7197DE2DA806C791
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245823652.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd34990000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cf2e9db460b446d65ffc69f5e2bf1ad371d7d7a21ad568109b8ef882f96d97d3
                                                  • Instruction ID: 5288d78003557210fa77b80767f86caaa87f9850bc8cd2d97907903c17df7f9d
                                                  • Opcode Fuzzy Hash: cf2e9db460b446d65ffc69f5e2bf1ad371d7d7a21ad568109b8ef882f96d97d3
                                                  • Instruction Fuzzy Hash: 78311231A08A4D8FEF58EF18C8AA5B877E0FF55300B1402BED54AD7599DE39B802D780
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245823652.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd34990000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d6d2cf34e6163e38fbf854a75f09ac3ff79dbca18093205d782340518b2ae07c
                                                  • Instruction ID: 9c78396f0c4de3e9a0e8f5dcf154b8c6ed0011f224c79c2da1830adfa2d3c58c
                                                  • Opcode Fuzzy Hash: d6d2cf34e6163e38fbf854a75f09ac3ff79dbca18093205d782340518b2ae07c
                                                  • Instruction Fuzzy Hash: E0110612B1DA850FF395D6AC18B62B5ABD2FF9A210B1D01FFD049C72E7D82C6C014362
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245823652.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd34990000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b250eefa81a72ad30ed741a4a62222588908d7dd5ea9cc1cb284148a06fb3818
                                                  • Instruction ID: 62d03d53fca29feb3c00cf5af76a4010bd6d95a2d377978b52a5cea9514d3c96
                                                  • Opcode Fuzzy Hash: b250eefa81a72ad30ed741a4a62222588908d7dd5ea9cc1cb284148a06fb3818
                                                  • Instruction Fuzzy Hash: 77F0C931A0892D8FDFA5DA0CD885BE9B3B1FBA8350F0042E6914DE3155DA70AAC58F51
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245823652.00007FFD34990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34990000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd34990000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0c1289a95e3db4c111c65fb293fb27edd88a5a54c0a2232a68ae30d6c8d6d5e1
                                                  • Instruction ID: cb8c0cfa4abcb5cf9524974a48d19be68f18a81bdb632977c85c33f3901ae221
                                                  • Opcode Fuzzy Hash: 0c1289a95e3db4c111c65fb293fb27edd88a5a54c0a2232a68ae30d6c8d6d5e1
                                                  • Instruction Fuzzy Hash: 5BE01A30B046288EDF60DB48CC81BD9B3B1FB85300F0041E6D54DE3242CA306E84CF42
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (zz4
                                                  • API String ID: 0-3921727618
                                                  • Opcode ID: ba4e64029d6afe4d1a357878bfaff70d34d8de74747c9957480249a252e9246e
                                                  • Instruction ID: c0003df4e1b1def4303c67316fc018c85647a412bc6b5ffb96644b9dbfbf73a8
                                                  • Opcode Fuzzy Hash: ba4e64029d6afe4d1a357878bfaff70d34d8de74747c9957480249a252e9246e
                                                  • Instruction Fuzzy Hash: 5991E653B0FAC15FE72247BC69A51E5ABE1EF4332470802FBD598CA197D81CAD0A9385
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7c9bf33a9d3ee77fb2c08499c1a99868bb6cd42d5ca7b0d01492db17a9794a6e
                                                  • Instruction ID: 027fd95fb69f431fd3246e49e984ed8b97202654b59603369509a97facecc30e
                                                  • Opcode Fuzzy Hash: 7c9bf33a9d3ee77fb2c08499c1a99868bb6cd42d5ca7b0d01492db17a9794a6e
                                                  • Instruction Fuzzy Hash: D1717A56A4E3C20FE35357751D751A4BFF1AE2365471E11EBC6C4CB0A3EA4D680AE322
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c173d666fe9e79bd1f39c6430038737b0ff1e1ddb44c85f30b17b6f2f9a7e2fb
                                                  • Instruction ID: cf04ceb0ab536060b0e4292c9af10600ed0792abd668f35f40f34b5b474ed647
                                                  • Opcode Fuzzy Hash: c173d666fe9e79bd1f39c6430038737b0ff1e1ddb44c85f30b17b6f2f9a7e2fb
                                                  • Instruction Fuzzy Hash: 9C614756A4E3C65FE75367740D755A5BFF05E23218B1E40EBC688CB0E3DA0D680AE322
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2245601336.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ffd348c0000_RFQ ENQ186 OI REQUIRE RATE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d4c0b6c53f491747dcbfb93d7099b2f960c7093cad023228ecdc4681f4fd2ede
                                                  • Instruction ID: 85338e7424df05b4eb7c8e8e7544f3e1497ec43f5554761199ec95989c0a9159
                                                  • Opcode Fuzzy Hash: d4c0b6c53f491747dcbfb93d7099b2f960c7093cad023228ecdc4681f4fd2ede
                                                  • Instruction Fuzzy Hash: 9C41D476A08681ABE7659BBC98F64D67BF4EF1332C70C01B6C188CA043E92D64879645

                                                  Execution Graph

                                                  Execution Coverage:11.5%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:19
                                                  Total number of Limit Nodes:4
                                                  execution_graph 28556 2c30848 28558 2c3084e 28556->28558 28557 2c3091b 28558->28557 28560 2c31380 28558->28560 28562 2c31396 28560->28562 28561 2c31480 28561->28558 28562->28561 28564 2c37090 28562->28564 28565 2c3709a 28564->28565 28566 2c370b4 28565->28566 28569 647cf87 28565->28569 28574 647cf98 28565->28574 28566->28562 28570 647cfad 28569->28570 28571 647d1c2 28570->28571 28572 647d5f0 GlobalMemoryStatusEx 28570->28572 28573 647d5b8 GlobalMemoryStatusEx 28570->28573 28571->28566 28572->28570 28573->28570 28576 647cfad 28574->28576 28575 647d1c2 28575->28566 28576->28575 28577 647d5f0 GlobalMemoryStatusEx 28576->28577 28578 647d5b8 GlobalMemoryStatusEx 28576->28578 28577->28576 28578->28576
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e8c1b7cadd2b244890525df3f3bce80f6fa6a8d990077faa595eb425d04f33c9
                                                  • Instruction ID: 140eefdec0bb122cee71d6762c09b096e959208f453a4ac1c05e273ef80fa6d5
                                                  • Opcode Fuzzy Hash: e8c1b7cadd2b244890525df3f3bce80f6fa6a8d990077faa595eb425d04f33c9
                                                  • Instruction Fuzzy Hash: 5363FB31D10B5A8ACB11EF68C8806ADF7B1FF99300F15D79AE45877121EB70AAD5CB81
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7272db216095f58807e0d2c1e1e0fb71e8f2811613334e9e1afb8d08d1c13682
                                                  • Instruction ID: 982bb5b1f206b311adefd3f5566331a8a6fcf6d0a2206571698813e8aaf8ecbd
                                                  • Opcode Fuzzy Hash: 7272db216095f58807e0d2c1e1e0fb71e8f2811613334e9e1afb8d08d1c13682
                                                  • Instruction Fuzzy Hash: C1330C31D107198EDB11EF68C8806ADF7B1FF99300F15DB9AE459A7211EB70AAC5CB81
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e4411d943fe3076b6c29c05bf5ce6cc41ec6a35cfeef7f1b9c8f281f12496205
                                                  • Instruction ID: bbe90f57d7c8048bc4c70a4e70f5e42cae932e7488cea9e9942273951550417b
                                                  • Opcode Fuzzy Hash: e4411d943fe3076b6c29c05bf5ce6cc41ec6a35cfeef7f1b9c8f281f12496205
                                                  • Instruction Fuzzy Hash: 18329E35A002058FDB15DF69D884BADBBB2EF88310F148969E909EB395DBB1DD41CB90

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4254 2c34a98-2c34afe 4256 2c34b00-2c34b0b 4254->4256 4257 2c34b48-2c34b4a 4254->4257 4256->4257 4258 2c34b0d-2c34b19 4256->4258 4259 2c34b4c-2c34b65 4257->4259 4260 2c34b1b-2c34b25 4258->4260 4261 2c34b3c-2c34b46 4258->4261 4266 2c34bb1-2c34bb3 4259->4266 4267 2c34b67-2c34b73 4259->4267 4262 2c34b27 4260->4262 4263 2c34b29-2c34b38 4260->4263 4261->4259 4262->4263 4263->4263 4265 2c34b3a 4263->4265 4265->4261 4268 2c34bb5-2c34bcd 4266->4268 4267->4266 4269 2c34b75-2c34b81 4267->4269 4275 2c34c17-2c34c19 4268->4275 4276 2c34bcf-2c34bda 4268->4276 4270 2c34b83-2c34b8d 4269->4270 4271 2c34ba4-2c34baf 4269->4271 4273 2c34b91-2c34ba0 4270->4273 4274 2c34b8f 4270->4274 4271->4268 4273->4273 4277 2c34ba2 4273->4277 4274->4273 4279 2c34c1b-2c34c33 4275->4279 4276->4275 4278 2c34bdc-2c34be8 4276->4278 4277->4271 4280 2c34c0b-2c34c15 4278->4280 4281 2c34bea-2c34bf4 4278->4281 4286 2c34c35-2c34c40 4279->4286 4287 2c34c7d-2c34c7f 4279->4287 4280->4279 4282 2c34bf6 4281->4282 4283 2c34bf8-2c34c07 4281->4283 4282->4283 4283->4283 4285 2c34c09 4283->4285 4285->4280 4286->4287 4289 2c34c42-2c34c4e 4286->4289 4288 2c34c81-2c34cf4 4287->4288 4298 2c34cfa-2c34d08 4288->4298 4290 2c34c71-2c34c7b 4289->4290 4291 2c34c50-2c34c5a 4289->4291 4290->4288 4292 2c34c5e-2c34c6d 4291->4292 4293 2c34c5c 4291->4293 4292->4292 4295 2c34c6f 4292->4295 4293->4292 4295->4290 4299 2c34d11-2c34d71 4298->4299 4300 2c34d0a-2c34d10 4298->4300 4307 2c34d73-2c34d77 4299->4307 4308 2c34d81-2c34d85 4299->4308 4300->4299 4307->4308 4309 2c34d79 4307->4309 4310 2c34d87-2c34d8b 4308->4310 4311 2c34d95-2c34d99 4308->4311 4309->4308 4310->4311 4312 2c34d8d 4310->4312 4313 2c34d9b-2c34d9f 4311->4313 4314 2c34da9-2c34dad 4311->4314 4312->4311 4313->4314 4315 2c34da1 4313->4315 4316 2c34daf-2c34db3 4314->4316 4317 2c34dbd-2c34dc1 4314->4317 4315->4314 4316->4317 4318 2c34db5 4316->4318 4319 2c34dc3-2c34dc7 4317->4319 4320 2c34dd1-2c34dd5 4317->4320 4318->4317 4319->4320 4321 2c34dc9-2c34dcc call 2c30ab8 4319->4321 4322 2c34dd7-2c34ddb 4320->4322 4323 2c34de5 4320->4323 4321->4320 4322->4323 4324 2c34ddd-2c34de0 call 2c30ab8 4322->4324 4327 2c34de6 4323->4327 4324->4323 4327->4327
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e6c50f4e7a90974d81b260af3ad9140af0c1a6c9a8ed5576e547ec5bd9efd3a1
                                                  • Instruction ID: 7c49b05ef06365f3600eee10ff1bd023a180100999e4184654b42327951e0794
                                                  • Opcode Fuzzy Hash: e6c50f4e7a90974d81b260af3ad9140af0c1a6c9a8ed5576e547ec5bd9efd3a1
                                                  • Instruction Fuzzy Hash: 9FB18D70E00609CFDB29CFA9D8817EDBBF2AF88718F148929D815E7254EB749941CF81
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f8a74f5f53f84c43440579277d1463a0ff8c4aeec2f93915bab7cad44a71dfd0
                                                  • Instruction ID: 19f83c44df8583374f1c2fc277d3776da54ad83d4b6b97381abe722023e50ab8
                                                  • Opcode Fuzzy Hash: f8a74f5f53f84c43440579277d1463a0ff8c4aeec2f93915bab7cad44a71dfd0
                                                  • Instruction Fuzzy Hash: 0B919B70E00649CFDF25CFA9C98579EBBF2AF88314F148929E405E7254EB749945CF81

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1134 647e280-647e284 1135 647e286-647e2c6 1134->1135 1136 647e24d-647e269 1134->1136 1137 647e2ce-647e2fc GlobalMemoryStatusEx 1135->1137 1142 647e26f-647e27f 1136->1142 1143 647e26b-647e26e 1136->1143 1139 647e305-647e32d 1137->1139 1140 647e2fe-647e304 1137->1140 1140->1139
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0647E202), ref: 0647E2EF
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3330122909.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_6470000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 1844345d4108b5f2abbe69ef06031c4e9b025396aebb0dc2bf99a76af537fd3c
                                                  • Instruction ID: a10ebc94f5c507deaf6caa7372b6e8d2aaf0ba977d039855921fe096deef5077
                                                  • Opcode Fuzzy Hash: 1844345d4108b5f2abbe69ef06031c4e9b025396aebb0dc2bf99a76af537fd3c
                                                  • Instruction Fuzzy Hash: 232145B5C0025ACFDB10CFAAC5447DEBBF4AF48720F24865AD918B7640D7789940CBA0

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1147 647d5ac-647e2fc GlobalMemoryStatusEx 1150 647e305-647e32d 1147->1150 1151 647e2fe-647e304 1147->1151 1151->1150
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0647E202), ref: 0647E2EF
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3330122909.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_6470000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 2f0568e3536f7806a98f1dbe5705da484fa43cd23f8dc4070d59fa0225012ef5
                                                  • Instruction ID: 18264c92b9ae61610f152055940d36cd32428c888913515365580e9fae0519bf
                                                  • Opcode Fuzzy Hash: 2f0568e3536f7806a98f1dbe5705da484fa43cd23f8dc4070d59fa0225012ef5
                                                  • Instruction Fuzzy Hash: A01136B1C0065A9FDB10CF9AC544BDEFBB4AF48620F11826AE918B7200D778A950CFE1

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2863 2c37908-2c3791f 2864 2c37921-2c37924 2863->2864 2865 2c37951-2c37954 2864->2865 2866 2c37926-2c3794c 2864->2866 2867 2c37981-2c37984 2865->2867 2868 2c37956-2c3797c 2865->2868 2866->2865 2869 2c379b1-2c379b4 2867->2869 2870 2c37986-2c379ac 2867->2870 2868->2867 2872 2c379b6-2c379b8 2869->2872 2873 2c379c5-2c379c8 2869->2873 2870->2869 3077 2c379ba call 2c39203 2872->3077 3078 2c379ba call 2c39150 2872->3078 3079 2c379ba call 2c39160 2872->3079 2876 2c379f5-2c379f8 2873->2876 2877 2c379ca-2c379f0 2873->2877 2879 2c37a25-2c37a28 2876->2879 2880 2c379fa-2c37a20 2876->2880 2877->2876 2885 2c37a55-2c37a58 2879->2885 2886 2c37a2a-2c37a50 2879->2886 2880->2879 2881 2c379c0 2881->2873 2888 2c37a85-2c37a88 2885->2888 2889 2c37a5a-2c37a80 2885->2889 2886->2885 2893 2c37ab5-2c37ab8 2888->2893 2894 2c37a8a-2c37ab0 2888->2894 2889->2888 2897 2c37ad5-2c37ad8 2893->2897 2898 2c37aba-2c37ad0 2893->2898 2894->2893 2901 2c37b05-2c37b08 2897->2901 2902 2c37ada-2c37b00 2897->2902 2898->2897 2909 2c37b35-2c37b38 2901->2909 2910 2c37b0a-2c37b30 2901->2910 2902->2901 2911 2c37b65-2c37b68 2909->2911 2912 2c37b3a-2c37b60 2909->2912 2910->2909 2919 2c37b95-2c37b98 2911->2919 2920 2c37b6a-2c37b90 2911->2920 2912->2911 2921 2c37bc5-2c37bc8 2919->2921 2922 2c37b9a-2c37bc0 2919->2922 2920->2919 2928 2c37bf5-2c37bf8 2921->2928 2929 2c37bca-2c37bf0 2921->2929 2922->2921 2930 2c37c25-2c37c28 2928->2930 2931 2c37bfa-2c37c20 2928->2931 2929->2928 2938 2c37c55-2c37c58 2930->2938 2939 2c37c2a-2c37c50 2930->2939 2931->2930 2940 2c37c85-2c37c88 2938->2940 2941 2c37c5a-2c37c80 2938->2941 2939->2938 2948 2c37ca3-2c37ca6 2940->2948 2949 2c37c8a-2c37c9e 2940->2949 2941->2940 2950 2c37cd3-2c37cd6 2948->2950 2951 2c37ca8-2c37cce 2948->2951 2949->2948 2958 2c37d03-2c37d06 2950->2958 2959 2c37cd8-2c37cfe 2950->2959 2951->2950 2960 2c37d33-2c37d36 2958->2960 2961 2c37d08-2c37d2e 2958->2961 2959->2958 2967 2c37d63-2c37d66 2960->2967 2968 2c37d38-2c37d5e 2960->2968 2961->2960 2970 2c37d93-2c37d96 2967->2970 2971 2c37d68-2c37d8e 2967->2971 2968->2967 2976 2c37dc3-2c37dc6 2970->2976 2977 2c37d98-2c37dbe 2970->2977 2971->2970 2979 2c37df3-2c37df6 2976->2979 2980 2c37dc8-2c37dee 2976->2980 2977->2976 2986 2c37e23-2c37e26 2979->2986 2987 2c37df8-2c37e1e 2979->2987 2980->2979 2989 2c37e53-2c37e56 2986->2989 2990 2c37e28-2c37e4e 2986->2990 2987->2986 2996 2c37e83-2c37e86 2989->2996 2997 2c37e58-2c37e7e 2989->2997 2990->2989 2999 2c37eb3-2c37eb6 2996->2999 3000 2c37e88-2c37eae 2996->3000 2997->2996 3006 2c37ee3-2c37ee6 2999->3006 3007 2c37eb8-2c37ede 2999->3007 3000->2999 3009 2c37f13-2c37f16 3006->3009 3010 2c37ee8-2c37f0e 3006->3010 3007->3006 3016 2c37f43-2c37f46 3009->3016 3017 2c37f18-2c37f3e 3009->3017 3010->3009 3019 2c37f73-2c37f76 3016->3019 3020 2c37f48-2c37f6e 3016->3020 3017->3016 3026 2c37fa3-2c37fa6 3019->3026 3027 2c37f78-2c37f9e 3019->3027 3020->3019 3029 2c37fd3-2c37fd6 3026->3029 3030 2c37fa8-2c37fce 3026->3030 3027->3026 3036 2c38003-2c38006 3029->3036 3037 2c37fd8-2c37ffe 3029->3037 3030->3029 3039 2c38033-2c38036 3036->3039 3040 2c38008-2c3802e 3036->3040 3037->3036 3046 2c38063-2c38066 3039->3046 3047 2c38038-2c3805e 3039->3047 3040->3039 3049 2c38093-2c38096 3046->3049 3050 2c38068-2c3808e 3046->3050 3047->3046 3056 2c380c3-2c380c6 3049->3056 3057 2c38098-2c380be 3049->3057 3050->3049 3062 2c380d3-2c380d5 3056->3062 3063 2c380c8 3056->3063 3057->3056 3066 2c380d7 3062->3066 3067 2c380dc-2c380df 3062->3067 3069 2c380ce 3063->3069 3066->3067 3067->2864 3070 2c380e5-2c380eb 3067->3070 3069->3062 3077->2881 3078->2881 3079->2881
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e8697e9cfa4a84ca7bc7d1be0c661222b930b9ebebdaa91ee83fba955509e5a
                                                  • Instruction ID: ef5180251ef157d2620456938a7246c2b15b80575be8b50150af916359e19de1
                                                  • Opcode Fuzzy Hash: 5e8697e9cfa4a84ca7bc7d1be0c661222b930b9ebebdaa91ee83fba955509e5a
                                                  • Instruction Fuzzy Hash: 65123834B20102CBDB1AAA38E48476C7AA3FBC9304B54996EE005CB345DFB5D947CF91

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3080 2c37918-2c3791f 3081 2c37921-2c37924 3080->3081 3082 2c37951-2c37954 3081->3082 3083 2c37926-2c3794c 3081->3083 3084 2c37981-2c37984 3082->3084 3085 2c37956-2c3797c 3082->3085 3083->3082 3086 2c379b1-2c379b4 3084->3086 3087 2c37986-2c379ac 3084->3087 3085->3084 3089 2c379b6-2c379b8 3086->3089 3090 2c379c5-2c379c8 3086->3090 3087->3086 3294 2c379ba call 2c39203 3089->3294 3295 2c379ba call 2c39150 3089->3295 3296 2c379ba call 2c39160 3089->3296 3093 2c379f5-2c379f8 3090->3093 3094 2c379ca-2c379f0 3090->3094 3096 2c37a25-2c37a28 3093->3096 3097 2c379fa-2c37a20 3093->3097 3094->3093 3102 2c37a55-2c37a58 3096->3102 3103 2c37a2a-2c37a50 3096->3103 3097->3096 3098 2c379c0 3098->3090 3105 2c37a85-2c37a88 3102->3105 3106 2c37a5a-2c37a80 3102->3106 3103->3102 3110 2c37ab5-2c37ab8 3105->3110 3111 2c37a8a-2c37ab0 3105->3111 3106->3105 3114 2c37ad5-2c37ad8 3110->3114 3115 2c37aba-2c37ad0 3110->3115 3111->3110 3118 2c37b05-2c37b08 3114->3118 3119 2c37ada-2c37b00 3114->3119 3115->3114 3126 2c37b35-2c37b38 3118->3126 3127 2c37b0a-2c37b30 3118->3127 3119->3118 3128 2c37b65-2c37b68 3126->3128 3129 2c37b3a-2c37b60 3126->3129 3127->3126 3136 2c37b95-2c37b98 3128->3136 3137 2c37b6a-2c37b90 3128->3137 3129->3128 3138 2c37bc5-2c37bc8 3136->3138 3139 2c37b9a-2c37bc0 3136->3139 3137->3136 3145 2c37bf5-2c37bf8 3138->3145 3146 2c37bca-2c37bf0 3138->3146 3139->3138 3147 2c37c25-2c37c28 3145->3147 3148 2c37bfa-2c37c20 3145->3148 3146->3145 3155 2c37c55-2c37c58 3147->3155 3156 2c37c2a-2c37c50 3147->3156 3148->3147 3157 2c37c85-2c37c88 3155->3157 3158 2c37c5a-2c37c80 3155->3158 3156->3155 3165 2c37ca3-2c37ca6 3157->3165 3166 2c37c8a-2c37c9e 3157->3166 3158->3157 3167 2c37cd3-2c37cd6 3165->3167 3168 2c37ca8-2c37cce 3165->3168 3166->3165 3175 2c37d03-2c37d06 3167->3175 3176 2c37cd8-2c37cfe 3167->3176 3168->3167 3177 2c37d33-2c37d36 3175->3177 3178 2c37d08-2c37d2e 3175->3178 3176->3175 3184 2c37d63-2c37d66 3177->3184 3185 2c37d38-2c37d5e 3177->3185 3178->3177 3187 2c37d93-2c37d96 3184->3187 3188 2c37d68-2c37d8e 3184->3188 3185->3184 3193 2c37dc3-2c37dc6 3187->3193 3194 2c37d98-2c37dbe 3187->3194 3188->3187 3196 2c37df3-2c37df6 3193->3196 3197 2c37dc8-2c37dee 3193->3197 3194->3193 3203 2c37e23-2c37e26 3196->3203 3204 2c37df8-2c37e1e 3196->3204 3197->3196 3206 2c37e53-2c37e56 3203->3206 3207 2c37e28-2c37e4e 3203->3207 3204->3203 3213 2c37e83-2c37e86 3206->3213 3214 2c37e58-2c37e7e 3206->3214 3207->3206 3216 2c37eb3-2c37eb6 3213->3216 3217 2c37e88-2c37eae 3213->3217 3214->3213 3223 2c37ee3-2c37ee6 3216->3223 3224 2c37eb8-2c37ede 3216->3224 3217->3216 3226 2c37f13-2c37f16 3223->3226 3227 2c37ee8-2c37f0e 3223->3227 3224->3223 3233 2c37f43-2c37f46 3226->3233 3234 2c37f18-2c37f3e 3226->3234 3227->3226 3236 2c37f73-2c37f76 3233->3236 3237 2c37f48-2c37f6e 3233->3237 3234->3233 3243 2c37fa3-2c37fa6 3236->3243 3244 2c37f78-2c37f9e 3236->3244 3237->3236 3246 2c37fd3-2c37fd6 3243->3246 3247 2c37fa8-2c37fce 3243->3247 3244->3243 3253 2c38003-2c38006 3246->3253 3254 2c37fd8-2c37ffe 3246->3254 3247->3246 3256 2c38033-2c38036 3253->3256 3257 2c38008-2c3802e 3253->3257 3254->3253 3263 2c38063-2c38066 3256->3263 3264 2c38038-2c3805e 3256->3264 3257->3256 3266 2c38093-2c38096 3263->3266 3267 2c38068-2c3808e 3263->3267 3264->3263 3273 2c380c3-2c380c6 3266->3273 3274 2c38098-2c380be 3266->3274 3267->3266 3279 2c380d3-2c380d5 3273->3279 3280 2c380c8 3273->3280 3274->3273 3283 2c380d7 3279->3283 3284 2c380dc-2c380df 3279->3284 3286 2c380ce 3280->3286 3283->3284 3284->3081 3287 2c380e5-2c380eb 3284->3287 3286->3279 3294->3098 3295->3098 3296->3098
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e85f5ba7e88847011db260728f49804cd49a260395b85170b04e17c7b74092bb
                                                  • Instruction ID: 14dba921c44338323858aa1167b1576430caa84ddc6261c1550873222db95c88
                                                  • Opcode Fuzzy Hash: e85f5ba7e88847011db260728f49804cd49a260395b85170b04e17c7b74092bb
                                                  • Instruction Fuzzy Hash: E2123930B20102CBDB1AAA38E48476C7AA3FBC9340B54996EE405CB345DFB5D847CF91
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7f443c786f626c6b581a63c6a0cd5341848b6bad1305d9ae8aae6190f090c4c6
                                                  • Instruction ID: 5fdfe93fc3a53b2d96eaeb740f50854303f5c972fdc9bf12cdd3367998099311
                                                  • Opcode Fuzzy Hash: 7f443c786f626c6b581a63c6a0cd5341848b6bad1305d9ae8aae6190f090c4c6
                                                  • Instruction Fuzzy Hash: B1A18B70E00609CFDB25CFA8D8817DDBBF1AF88718F148929D815EB254EB749985CF91
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 155ae773a1728b6eba379743f0f80cf611cf95c082ef181af9491f8fb9cdc954
                                                  • Instruction ID: 9c18fc11caeeec43b08a25276c1735c1e8f1fe46ea4286ed2664461b80ebc50e
                                                  • Opcode Fuzzy Hash: 155ae773a1728b6eba379743f0f80cf611cf95c082ef181af9491f8fb9cdc954
                                                  • Instruction Fuzzy Hash: FF916A35A012158FDB15DB68D484BADBBF2EF88310F148969E806EB365DBB1ED42CB50
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 19fa06d15190ac817a05ddb5171c512751a8ee15df7b2ea8ff1895efd8b0addd
                                                  • Instruction ID: 27e3adda512cc4b317e9de4bf3e613505c7bef47b4557fa444b67115e9479027
                                                  • Opcode Fuzzy Hash: 19fa06d15190ac817a05ddb5171c512751a8ee15df7b2ea8ff1895efd8b0addd
                                                  • Instruction Fuzzy Hash: 369178B0E00649CFDB25CFA8C98579EBBF2AF88314F148929E415E7254EB749945CF81
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 098fa45f178a27749f2c319f574a41459bdc8988dba098fbc65aa3b1fdf87173
                                                  • Instruction ID: 580af28208528563a53837a7f6b4fd5b9838d4393c704d263a42743f306b1c33
                                                  • Opcode Fuzzy Hash: 098fa45f178a27749f2c319f574a41459bdc8988dba098fbc65aa3b1fdf87173
                                                  • Instruction Fuzzy Hash: 627169B0E00349CFDB29CFA9C88479EBBF2BF88714F148529E415AB254EB749941CF85
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c5ab8031d1831ad3cd7cb586d0a7089945b951c44a4b4a34dec13ed7f64a0a3a
                                                  • Instruction ID: f3c5392593848a1f30dc4388775bba2ce6f549c2c8b31e2f79f9879821e5451d
                                                  • Opcode Fuzzy Hash: c5ab8031d1831ad3cd7cb586d0a7089945b951c44a4b4a34dec13ed7f64a0a3a
                                                  • Instruction Fuzzy Hash: 4A7176B0E00249CFDB25CFA9C9807DEBBF2BF88714F148929E415AB254EB349841CF81
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 21f5234d453ee0eea6bce678c83d9d69b55c4639c02f6e1d779c19d3d522d4c5
                                                  • Instruction ID: 8d513bc0ffe50532c8d056904775c04d67695b8bf4b7083af55a70b2ff6e32e7
                                                  • Opcode Fuzzy Hash: 21f5234d453ee0eea6bce678c83d9d69b55c4639c02f6e1d779c19d3d522d4c5
                                                  • Instruction Fuzzy Hash: D241D370B002599FDB16DF78D4507AEB7B6EF89300F20886AE405EB284EB719D46CB91
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a38051368fbf29510315dcb9d2cd6ac20be5d281e62201226c8642a1baa24d62
                                                  • Instruction ID: 5a66ce5d89403ba49a857490c4255f0df4e61b7ba0e2e173a11851879517e20d
                                                  • Opcode Fuzzy Hash: a38051368fbf29510315dcb9d2cd6ac20be5d281e62201226c8642a1baa24d62
                                                  • Instruction Fuzzy Hash: C9513271E002589FDB15CFAAD884B9DBBB5FF88314F248529E815AB350CB74A844CF98
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c6d17fefc2422f6e18ff61c9f003e1bed16e945745c3d3957ad63f9230ddcca9
                                                  • Instruction ID: 0d45da9bdd100d546d6152982aa96b5af598ee4bd9183d38693b8750363c0899
                                                  • Opcode Fuzzy Hash: c6d17fefc2422f6e18ff61c9f003e1bed16e945745c3d3957ad63f9230ddcca9
                                                  • Instruction Fuzzy Hash: FD513671E002589FDB15CFA9C844B9DBBF5BF48714F248419E815BB350DB74A944CF98
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e8c077fe45e2711347a7981aaadab2655988ba1cf6ec28d5eddaa6889cae717a
                                                  • Instruction ID: 95df024c45dc02010f001a70f50bde431fcf9c35b95ff6fba6b1cd49cb193e69
                                                  • Opcode Fuzzy Hash: e8c077fe45e2711347a7981aaadab2655988ba1cf6ec28d5eddaa6889cae717a
                                                  • Instruction Fuzzy Hash: 0951C876A75243CFCF0AFF68F8809553FB1FBE1305704996DD2406B36ADAA86905CB80
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c809f67d3ff90b119a33d7060e3c7cb8440f557113fee4af57f0f0add254ea73
                                                  • Instruction ID: a4d15524a10d28b8f52675a8f374e8935812d1c7de5882ccea28c1ee73e57df6
                                                  • Opcode Fuzzy Hash: c809f67d3ff90b119a33d7060e3c7cb8440f557113fee4af57f0f0add254ea73
                                                  • Instruction Fuzzy Hash: 0C519776A75243CFCF0AFB68F8809553FB1FBD5306304996DD2406B36ADAA86905CB80
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 32d69f75913f6c442c764c437943c9096aac4452c608d49f2526f7a7a0196f1c
                                                  • Instruction ID: f05470f8b8fe8cec1f7bf7ff619e344e00a243ce83e5fa59122f3076eeeac65c
                                                  • Opcode Fuzzy Hash: 32d69f75913f6c442c764c437943c9096aac4452c608d49f2526f7a7a0196f1c
                                                  • Instruction Fuzzy Hash: C1311031B002068FCB56AB35D4507AE3BB2ABC9240F540C6DC406DB796EF39CD42CB91
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6be5bb1e570f2efac770e28fb246a66ddaaef7ded46af87b1208b3e5afbb629f
                                                  • Instruction ID: 04bb32d178a46f8214ff426618889822e469c476adc8a307ffb3f553145ebb82
                                                  • Opcode Fuzzy Hash: 6be5bb1e570f2efac770e28fb246a66ddaaef7ded46af87b1208b3e5afbb629f
                                                  • Instruction Fuzzy Hash: E0310F31B002068FDB5AAB35C41066E3BA3AFC9244F544C6CC00ADB396EF75CD01CB91
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 04f4c5adbd54e77289c68e496139e726b6bfe82769ec7db624f387d3993ff3bc
                                                  • Instruction ID: 5ac715b147bb613a7c0eb6bce98b2a9f7042814cfc4987c512910825ebbf033a
                                                  • Opcode Fuzzy Hash: 04f4c5adbd54e77289c68e496139e726b6bfe82769ec7db624f387d3993ff3bc
                                                  • Instruction Fuzzy Hash: 06315035E1020ADBDB15DFA4D895B9EB7B6FF89300F50892DE806E7750DB71AC428B90
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cd8c9d1c026ac2a5d99ea0a827aa65967cc11ef042b5bb184b0ce8f98cd8141c
                                                  • Instruction ID: d39e8cd73180bd0c000cb3467a1cc4c83ab25edf8a70291b067db18f14ff4ca6
                                                  • Opcode Fuzzy Hash: cd8c9d1c026ac2a5d99ea0a827aa65967cc11ef042b5bb184b0ce8f98cd8141c
                                                  • Instruction Fuzzy Hash: DC31B370E102099BDB15CF65D4447DEF7B6FF89300F208926E402FB240EB719945CB90
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b3a68fd58576a29354a732e12fa02b4b9b22d68fd521de6aaef753282ea32e45
                                                  • Instruction ID: d6a0284f11034298fda6cf00a82b437669fc2853d16978b5129c1c75be672dba
                                                  • Opcode Fuzzy Hash: b3a68fd58576a29354a732e12fa02b4b9b22d68fd521de6aaef753282ea32e45
                                                  • Instruction Fuzzy Hash: 6B410FB1900349DFEF10CFA9C984ADEBBB0BF88314F148429E819AB254DB75A945CB91
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5bf13a5a1de3e63a311041626ecc217845119b2ca8a3fff3cb6e0eef0635aa8a
                                                  • Instruction ID: 4ce7a5844c85c0d8d0f14c4e91e5069b42a505a53214458decf7e094ca90cdf8
                                                  • Opcode Fuzzy Hash: 5bf13a5a1de3e63a311041626ecc217845119b2ca8a3fff3cb6e0eef0635aa8a
                                                  • Instruction Fuzzy Hash: 89315E35E10206DBDB15DFA4D494A9EB7B6BF88300F508D2DE806EB750DB71AC42CB90
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97d5549cbf663c9a6d5eafe8fbdb61c9f58124531e354b0d411f872cc3d47e59
                                                  • Instruction ID: 0172a61f240cf3012cd29c6e06d04cfb57c1694d8430d75879c7eb0855ee924d
                                                  • Opcode Fuzzy Hash: 97d5549cbf663c9a6d5eafe8fbdb61c9f58124531e354b0d411f872cc3d47e59
                                                  • Instruction Fuzzy Hash: 04315831A10246CFDF16EB34C8546AD77B2AB8D384F500868C905AB394DB36DD01CB90
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4ff5a9d70dff191ba9313acfbc6aef5c0b83f7f85f57f36d7b49fd3d951e29b5
                                                  • Instruction ID: 912f5bca3dc435f4b466775734c4317fa722d1aac56856e9fa22662012d080b8
                                                  • Opcode Fuzzy Hash: 4ff5a9d70dff191ba9313acfbc6aef5c0b83f7f85f57f36d7b49fd3d951e29b5
                                                  • Instruction Fuzzy Hash: F8410FB1D00349DFDF10CFA9C980ADEBBB4FF88714F108429E809AB214DB75A945CB91
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 98bbaff6add57654fa9693d40a7a5caf5f00eb9138041c37ec915b69945247db
                                                  • Instruction ID: 1ff74fcba83bc26f76c2957cbf5868c5648ec13f6a18bea36e7eb7ba626da016
                                                  • Opcode Fuzzy Hash: 98bbaff6add57654fa9693d40a7a5caf5f00eb9138041c37ec915b69945247db
                                                  • Instruction Fuzzy Hash: EB312931A10216CFDF16EB74C9546AD77F2AB8D384F500C68C905AB394DB76DD41CB91
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 03242beb5e7d1cc5ffd325be46641e8261204721a9f20a18c369a4d00422cc04
                                                  • Instruction ID: 4db5bef3aec055b3a16181905f16b304667e66d9c22c5955fe12e49e0d639045
                                                  • Opcode Fuzzy Hash: 03242beb5e7d1cc5ffd325be46641e8261204721a9f20a18c369a4d00422cc04
                                                  • Instruction Fuzzy Hash: 7931AE31E1020A9BDF16CFA4D880B9EF7B2FF89300F548919E805AB240DBB19942CB50
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0679972127ea7e5270cbe52c1e07e3f0e179bf650e88184f213d255719d06277
                                                  • Instruction ID: 5c20e05cb753eda347b648c1bcb7139450cd5c097b3cca117c1c547598f85e6c
                                                  • Opcode Fuzzy Hash: 0679972127ea7e5270cbe52c1e07e3f0e179bf650e88184f213d255719d06277
                                                  • Instruction Fuzzy Hash: 47217E31E1020A9BDB16CFA5D480B9EF7B6BF89300F54CA19E805AB251DBB19946CB90
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9a395a6f79122f5895366742e33c6282f941fca53b0f1c9554fbdbbf36e37328
                                                  • Instruction ID: 51d5c5e46b0440f8b4f47b4952798aff7c7e65ad3af77e91807a3325c1731d3a
                                                  • Opcode Fuzzy Hash: 9a395a6f79122f5895366742e33c6282f941fca53b0f1c9554fbdbbf36e37328
                                                  • Instruction Fuzzy Hash: 6B2183396301038FEF16EB68E8847993765EBC5304F189E29E00AC7356DBB8D9458BD1
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8f916776ec28ead33a6a9832b2e323fd372c45f5fdcef5e63e64a2c8ffdc57df
                                                  • Instruction ID: bb3b1ca2f1c8a3bfae58e3cbbb170225a2cdef9afc4b7e8e2bfb490f3e8d3d13
                                                  • Opcode Fuzzy Hash: 8f916776ec28ead33a6a9832b2e323fd372c45f5fdcef5e63e64a2c8ffdc57df
                                                  • Instruction Fuzzy Hash: 66217431E006199BDB19CFA5D8546DEF7B2BF89300F10891AE816F7750DBB19946CB50
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c59288c07d335e129e52b8d698e7fbd9841f9aa59964a21b91ee964e83ad0788
                                                  • Instruction ID: 1228a331f2ac38300decbd76eacc62df966b9adfd106dbd38ec433ceae1143fa
                                                  • Opcode Fuzzy Hash: c59288c07d335e129e52b8d698e7fbd9841f9aa59964a21b91ee964e83ad0788
                                                  • Instruction Fuzzy Hash: BF212B34A00209CFCB55EF78C558BADB7F1AF8C344B104869D506EB7A5DB769D01CB91
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326275860.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2bed000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2bf5921f3bf69769ad4418f9f9fb7e7d9defec690264e56fcbdec58294ba5fcc
                                                  • Instruction ID: e21116d64973adee8de5dd494405d13040b4d54b01e5492307d255c07432d33a
                                                  • Opcode Fuzzy Hash: 2bf5921f3bf69769ad4418f9f9fb7e7d9defec690264e56fcbdec58294ba5fcc
                                                  • Instruction Fuzzy Hash: 9E214F71204200EFDF14CF20D9D0B26BBA9FB84314F28C5ADE80A4B253C3BAC807CA61
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 95da59695d0c50350215f4db12152c749d89000d6cd4b225c68445a6782f32e1
                                                  • Instruction ID: 7d61d6c270c4d50df23c12723186acef90dc3f73cec44bcdfe9f123e1c5a0015
                                                  • Opcode Fuzzy Hash: 95da59695d0c50350215f4db12152c749d89000d6cd4b225c68445a6782f32e1
                                                  • Instruction Fuzzy Hash: 3D21B474A202018FDF3B6624D4587AD3BB1E786725F580C6AF40ECB781DBA9C981C743
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7e24f00b49402358f8aebbec10ad1df54534fa718f0ad71708b7148ec6f5ed6f
                                                  • Instruction ID: d74655ccc9d01e44ffe4c4cdc656f151225660f6cadf0111a3da53ee12ee9a2c
                                                  • Opcode Fuzzy Hash: 7e24f00b49402358f8aebbec10ad1df54534fa718f0ad71708b7148ec6f5ed6f
                                                  • Instruction Fuzzy Hash: 2421A430E0060A9BDF19CFA5D844ADEF7B6BF89300F10892AE816F7350DBB19945CB50
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 80d3dab1f9e5474624c0b37b9f2087403c4059004df7de5fd084c9e9ef01dfd0
                                                  • Instruction ID: 9ab18a9edaa5303e317d12159b404f35479991b35f13f83ad99265f4a8d46c88
                                                  • Opcode Fuzzy Hash: 80d3dab1f9e5474624c0b37b9f2087403c4059004df7de5fd084c9e9ef01dfd0
                                                  • Instruction Fuzzy Hash: BD210530B00209CFDB55EA78C5587AE77F6AF89345F140868D50AEB394DB768E00CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 219d6c228a8f0724fb05f3d24acd3abc8fec1c9e66cda9d317f8f9f114a8e62e
                                                  • Instruction ID: ec059f263b9173d4379946031cf9bde2a44ebf1e3fe04dd61b6fd9f4c261ea1d
                                                  • Opcode Fuzzy Hash: 219d6c228a8f0724fb05f3d24acd3abc8fec1c9e66cda9d317f8f9f114a8e62e
                                                  • Instruction Fuzzy Hash: 542181396301038FEF16E728E8847593B65E7C5304F189A29E00AC7356DFB8D9418BD1
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d2bf0cb41553caecbac6ff2724f152e3ba64db21ffd7240abeb672781f6fc7c6
                                                  • Instruction ID: 5202581767ed1317537f60cc343c25d846130462433fb82eaad2c0c9566a76c5
                                                  • Opcode Fuzzy Hash: d2bf0cb41553caecbac6ff2724f152e3ba64db21ffd7240abeb672781f6fc7c6
                                                  • Instruction Fuzzy Hash: ED211431B00245CFDF56EB78C5587AD77B2AF89305F180869C50AEB3A4DB768E40CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b7eef3a649607a78621b7261efe60912d18218d0f6f05fd9d5c39828b0aa4df0
                                                  • Instruction ID: b32d97a9841ba29dccce40d0cc1df1e0aeea5bb7a580837227dacdd58b8f2f5d
                                                  • Opcode Fuzzy Hash: b7eef3a649607a78621b7261efe60912d18218d0f6f05fd9d5c39828b0aa4df0
                                                  • Instruction Fuzzy Hash: ED211630A00209CFCB55EB78C558BAD77F1EB8C344B100868E506EB3A5EB369D00CB91
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a299beb51afa9f9da934ee8845726411519eb1a0791ba7699c80f8492d06ab09
                                                  • Instruction ID: 7ab441ef3f29eb03a3c086492516b4b1b306a4cac4349618c54c87ff7cbd3e69
                                                  • Opcode Fuzzy Hash: a299beb51afa9f9da934ee8845726411519eb1a0791ba7699c80f8492d06ab09
                                                  • Instruction Fuzzy Hash: 57118F32B2020A8BEF16AA7AC45476A36A1EFC1314F218C79D006CF346DB65C9418FD2
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0e44c8feb0e392c2ceb2d573a5d8b3430527a0450debf54d0cd6d7b799e22c11
                                                  • Instruction ID: 8e513f8697b3f82c3caa42a030537ec9a5f9d237b2e6bf596cc11dfc84ee5f4b
                                                  • Opcode Fuzzy Hash: 0e44c8feb0e392c2ceb2d573a5d8b3430527a0450debf54d0cd6d7b799e22c11
                                                  • Instruction Fuzzy Hash: 6A117C34A2024BDFEB02EB68E84079D7BB1EB84300F108669D4059B351EF799E458B91
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 81bebb213ca6a18a96635c188e1064c06c549948d5c3256b6845a29e1e45df9c
                                                  • Instruction ID: 04ffef43371bda53f6355e3da9e2fbe7c60abf58868b29f37b6b42721533d6c6
                                                  • Opcode Fuzzy Hash: 81bebb213ca6a18a96635c188e1064c06c549948d5c3256b6845a29e1e45df9c
                                                  • Instruction Fuzzy Hash: B611C276F102529FCF11AB79A84979F7BF5EB88650F180825EA09D3340EBB0C901CBD2
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 513721e8f24c75835dae1df0343cfef57c3012edb6bcda2197a3aa3791f2e259
                                                  • Instruction ID: 8355c8c1aeb5991090e47027d8d2bd2fe48b9522349667072dd401b011e35d20
                                                  • Opcode Fuzzy Hash: 513721e8f24c75835dae1df0343cfef57c3012edb6bcda2197a3aa3791f2e259
                                                  • Instruction Fuzzy Hash: 9011C672B042419FD705ABB8D4653DE7FA6DF86604F1444AFC186CB781DE748C468B92
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d28f3e1584002a854f9fa693e6a9979b8253fa58b7de5713f048ac5aaf04a4e
                                                  • Instruction ID: e0ca71e2fa91d39c8ff492f715553910dd8a60b19b431a63a8d653eaba9afb70
                                                  • Opcode Fuzzy Hash: 1d28f3e1584002a854f9fa693e6a9979b8253fa58b7de5713f048ac5aaf04a4e
                                                  • Instruction Fuzzy Hash: 2E11C233B2020A8BEF266A69C4107AA3651EFC1319F258C39D446DF386DB65C9418FC2
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326275860.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2bed000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 75854c6dba1a72a9eb35a4cb35f8e35dfee465a0eaa92caab8e1d486b4a44498
                                                  • Instruction ID: 6909337a1f589d4baa41437e9a534ae3f03506180ec552402ac49bea21d36e61
                                                  • Opcode Fuzzy Hash: 75854c6dba1a72a9eb35a4cb35f8e35dfee465a0eaa92caab8e1d486b4a44498
                                                  • Instruction Fuzzy Hash: 452193755093C08FCB16CF20D9A4B15BF71EB45314F28C5EAD8498B6A7C37AD84ACB62
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 39a00f86de24b361450e47845b802a4c9d6820190bd1c50fff341538be786b6c
                                                  • Instruction ID: 303a84ec2f3c4fd3cd7f07499659e519ef01bdde95422ed63e49a315cdc2e9a2
                                                  • Opcode Fuzzy Hash: 39a00f86de24b361450e47845b802a4c9d6820190bd1c50fff341538be786b6c
                                                  • Instruction Fuzzy Hash: 7F112532A002159FCF22EFB984502EE7BF6EB48224B19487AD44AE7301E776D941CBD5
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 66028f03d5c81c81084a1b93b2cde6e18c7f9f1cd75417a939c1eeb57609305a
                                                  • Instruction ID: ee6f30a1d6512f1cb7687052231fe2c587f849c404ca16359a5ed8497cfec581
                                                  • Opcode Fuzzy Hash: 66028f03d5c81c81084a1b93b2cde6e18c7f9f1cd75417a939c1eeb57609305a
                                                  • Instruction Fuzzy Hash: 4D010432A002159FCF12EFB9845029E7BF6EB88224F14487AD40AE7301E776D941CBD5
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1297982803ba8014816aa5c9d407992842112368a1bee4a792700ce3a798929f
                                                  • Instruction ID: 38e48f9eba81890227c5718668e1a0058602d94560fb2748741bf75cfc4ffb48
                                                  • Opcode Fuzzy Hash: 1297982803ba8014816aa5c9d407992842112368a1bee4a792700ce3a798929f
                                                  • Instruction Fuzzy Hash: FF01B530A002058BDB04EF55D94478EBBB6FFC4310F548668C84C6F29AEBB4AD05CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 584a10f2238b80e9a551c04908fff1765f4a92c32e8b1cd7f7f9b799cb3424c5
                                                  • Instruction ID: 4b664d7e36003ea35de4fcd3557c27dbc86579e0b5ce6bf03e05f4367353cad8
                                                  • Opcode Fuzzy Hash: 584a10f2238b80e9a551c04908fff1765f4a92c32e8b1cd7f7f9b799cb3424c5
                                                  • Instruction Fuzzy Hash: FD11C530D01A59DFDF3ADA94ED987EDB772AFA531AF14282AC011B2190DB344AC5CF11
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7c9a8c829803ed7bdcadf502f9c860e4ad473eb0481de89a907629c1fc5e670f
                                                  • Instruction ID: 1a3eef24214b132847657c74987038176f91c50d4d83cf7d4c7253ec5061b356
                                                  • Opcode Fuzzy Hash: 7c9a8c829803ed7bdcadf502f9c860e4ad473eb0481de89a907629c1fc5e670f
                                                  • Instruction Fuzzy Hash: 17F02433A04150CFCB238BE488912ACBBB1EA9822171C08E7C80ADB311D7B6E542DB51
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 04d80ed40dab73fd9f60daf165c0fc9305a8e95e3b828fe398db9a2d145b8592
                                                  • Instruction ID: f2ad211006dd7cdf0a1c1b479c9c0b6025902a6891607ed91f70e66f9019cc1b
                                                  • Opcode Fuzzy Hash: 04d80ed40dab73fd9f60daf165c0fc9305a8e95e3b828fe398db9a2d145b8592
                                                  • Instruction Fuzzy Hash: B1F0E739B10119CFCB14DB74D998BAC77B2EF88715F5040A8E9069B3A4DF31AD42CB40
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.3326522231.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2c30000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 77a19d9e2b04b3fbfac1fda0efbb9cd20da512c1ef973031d0b8ee29ca71f0f7
                                                  • Instruction ID: 42a96b1831a7e6983a9561cefcbd81d82d78e7f0c7fdb5547e727a1464e558fb
                                                  • Opcode Fuzzy Hash: 77a19d9e2b04b3fbfac1fda0efbb9cd20da512c1ef973031d0b8ee29ca71f0f7
                                                  • Instruction Fuzzy Hash: 5BF03C3492114BEFDF05FBA8F980A9D7BB5EB80300F5096ADC504A7255EE752E048B81