Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION#08670.exe

Overview

General Information

Sample name:QUOTATION#08670.exe
Analysis ID:1572925
MD5:93bdfd46628601b04ea067e5f52187d7
SHA1:4d2e420aa6a8289763b9c0a79fccb7e18ee02294
SHA256:f2d566b1b667cf8ea8c35f2827f62e7430941e1fdd13019811768e3a942ec926
Tags:AgentTeslaexeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Disables UAC (registry)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QUOTATION#08670.exe (PID: 3476 cmdline: "C:\Users\user\Desktop\QUOTATION#08670.exe" MD5: 93BDFD46628601B04EA067E5F52187D7)
    • conhost.exe (PID: 1908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6708 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • CasPol.exe (PID: 4900 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • WerFault.exe (PID: 3608 cmdline: C:\Windows\system32\WerFault.exe -u -p 3476 -s 1468 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • newapp.exe (PID: 948 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • conhost.exe (PID: 2580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • newapp.exe (PID: 5720 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • conhost.exe (PID: 4328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "ben@ercolina-usa.com", "Password": "nXe0M~WkW&nJ"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4621214709.0000000002D11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000002.4621214709.0000000002D11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.4621214709.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000005.00000002.4609800708.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.QUOTATION#08670.exe.1cfa83cbf08.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.QUOTATION#08670.exe.1cfa83cbf08.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.QUOTATION#08670.exe.1cfa83cbf08.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.QUOTATION#08670.exe.1cfa83cbf08.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x30dec:$s2: GetPrivateProfileString
                • 0x30472:$s3: get_OSFullName
                • 0x31b69:$s5: remove_Key
                • 0x31d29:$s5: remove_Key
                • 0x32ca1:$s6: FtpWebRequest
                • 0x33bbe:$s7: logins
                • 0x34130:$s7: logins
                • 0x36e41:$s7: logins
                • 0x36ef3:$s7: logins
                • 0x389be:$s7: logins
                • 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.QUOTATION#08670.exe.1cfa838ecc0.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 15 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#08670.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#08670.exe, ParentProcessId: 3476, ParentProcessName: QUOTATION#08670.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -Force, ProcessId: 2056, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newapp\newapp.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 4900, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newapp
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#08670.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#08670.exe, ParentProcessId: 3476, ParentProcessName: QUOTATION#08670.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -Force, ProcessId: 2056, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION#08670.exe", ParentImage: C:\Users\user\Desktop\QUOTATION#08670.exe, ParentProcessId: 3476, ParentProcessName: QUOTATION#08670.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -Force, ProcessId: 2056, ProcessName: powershell.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7080, ProcessName: svchost.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "ben@ercolina-usa.com", "Password": "nXe0M~WkW&nJ"}
                  Multi AV Scanner detection for submitted file
                  Source: QUOTATION#08670.exeReversingLabs: Detection: 21%
                  Source: QUOTATION#08670.exeVirustotal: Detection: 30%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: QUOTATION#08670.exeJoe Sandbox ML: detected

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: QUOTATION#08670.exe PID: 3476, type: MEMORYSTR
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49715 version: TLS 1.2
                  Source: QUOTATION#08670.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbYMZ source: QUOTATION#08670.exe, 00000000.00000002.2259070205.0000005985AF3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.CSharp.pdb P source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: C:\Users\user\Desktop\QUOTATION#08670.PDBYz source: QUOTATION#08670.exe, 00000000.00000002.2259070205.0000005985AF3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.CSharp.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: YpC:\Users\user\Desktop\QUOTATION#08670.PDB source: QUOTATION#08670.exe, 00000000.00000002.2259070205.0000005985AF3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.ni.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: QUOTATION#08670.PDB source: QUOTATION#08670.exe, 00000000.00000002.2259070205.0000005985AF3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: C:\Users\user\Desktop\QUOTATION#08670.PDB source: QUOTATION#08670.exe, 00000000.00000002.2259070205.0000005985AF3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: QUOTATION#08670.exe, 00000000.00000002.2259366070.000001CF969B9000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Users\user\Desktop\QUOTATION#08670.PDB source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: QUOTATION#08670.exe, 00000000.00000002.2259366070.000001CF96962000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D06000.00000004.00000020.00020000.00000000.sdmp, WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Core.pdb4 source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Core.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: YindoC:\Windows\System.Core.pdb source: QUOTATION#08670.exe, 00000000.00000002.2259070205.0000005985AF3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Dynamic.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.pdb0 source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdb8 source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: caspol.pdb source: newapp.exe, 0000000B.00000000.2329669563.0000000000FF2000.00000002.00000001.01000000.00000009.sdmp, newapp.exe.5.dr
                  Source: Binary string: System.Core.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D06000.00000004.00000020.00020000.00000000.sdmp, WER28F3.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbx source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Core.pdb) source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER28F3.tmp.dmp.8.dr
                  Source: Joe Sandbox ViewIP Address: 192.254.225.136 192.254.225.136
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: ftp.ercolina-usa.com
                  Source: svchost.exe, 0000001B.00000002.4409046537.000001E07CE00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: qmgr.db.27.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: qmgr.db.27.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
                  Source: qmgr.db.27.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: qmgr.db.27.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: qmgr.db.27.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: qmgr.db.27.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: qmgr.db.27.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: CasPol.exe, 00000005.00000002.4621214709.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4621214709.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4621214709.0000000002DAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ercolina-usa.com
                  Source: edb.log.27.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: CasPol.exe, 00000005.00000002.4621214709.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4621214709.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4621214709.0000000002DAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.ercolina-usa.com
                  Source: CasPol.exe, 00000005.00000002.4621214709.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                  Source: QUOTATION#08670.exe, 00000000.00000002.2260686823.000001CFA8351000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4609800708.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: QUOTATION#08670.exe, 00000000.00000002.2260686823.000001CFA8351000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4621214709.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4609800708.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: CasPol.exe, 00000005.00000002.4621214709.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: CasPol.exe, 00000005.00000002.4621214709.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: edb.log.27.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                  Source: svchost.exe, 0000001B.00000003.2760841753.000001E07CBC0000.00000004.00000800.00020000.00000000.sdmp, edb.log.27.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49715 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, SKTzxzsJw.cs.Net Code: KdRT1gFnIpl
                  Source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.raw.unpack, SKTzxzsJw.cs.Net Code: KdRT1gFnIpl
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: QUOTATION#08670.exe
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD3482B4600_2_00007FFD3482B460
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD348021680_2_00007FFD34802168
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD348011D00_2_00007FFD348011D0
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD3482B3E80_2_00007FFD3482B3E8
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD34802F480_2_00007FFD34802F48
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD34802F800_2_00007FFD34802F80
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD348261CE0_2_00007FFD348261CE
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD3482B4500_2_00007FFD3482B450
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_00DCE1405_2_00DCE140
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_00DCE9FF5_2_00DCE9FF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_00DCA9485_2_00DCA948
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_00DC4A685_2_00DC4A68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_00DCADB05_2_00DCADB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_00DC3E505_2_00DC3E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_00DC41985_2_00DC4198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_064647845_2_06464784
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_06466A125_2_06466A12
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_06461B705_2_06461B70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_06461F285_2_06461F28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_06465D425_2_06465D42
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_06465D485_2_06465D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_06477E685_2_06477E68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_064766E05_2_064766E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_064756B05_2_064756B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_064735705_2_06473570
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_0647C2685_2_0647C268
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_0647B3185_2_0647B318
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_064777885_2_06477788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_0647E4985_2_0647E498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_06475DE85_2_06475DE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_064700405_2_06470040
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3476 -s 1468
                  Source: QUOTATION#08670.exeStatic PE information: No import functions for PE file found
                  Source: QUOTATION#08670.exe, 00000000.00000002.2260686823.000001CFA8351000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4050351b-3b81-4030-83d1-4403e211abfe.exe4 vs QUOTATION#08670.exe
                  Source: QUOTATION#08670.exe, 00000000.00000002.2260686823.000001CFA8351000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAzidele4 vs QUOTATION#08670.exe
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259366070.000001CF968FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTATION#08670.exe
                  Source: QUOTATION#08670.exe, 00000000.00000000.2138468056.000001CF96752000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameConsoleApplication2.exeH vs QUOTATION#08670.exe
                  Source: QUOTATION#08670.exeBinary or memory string: OriginalFilenameConsoleApplication2.exeH vs QUOTATION#08670.exe
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: QUOTATION#08670.exe, -.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@14/19@2/3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\newappJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1908:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4328:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2580:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_03
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3476
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1othnnnn.rpl.ps1Jump to behavior
                  Source: QUOTATION#08670.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: QUOTATION#08670.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: QUOTATION#08670.exeReversingLabs: Detection: 21%
                  Source: QUOTATION#08670.exeVirustotal: Detection: 30%
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeFile read: C:\Users\user\Desktop\QUOTATION#08670.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION#08670.exe "C:\Users\user\Desktop\QUOTATION#08670.exe"
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -Force
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3476 -s 1468
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -ForceJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: QUOTATION#08670.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: QUOTATION#08670.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbYMZ source: QUOTATION#08670.exe, 00000000.00000002.2259070205.0000005985AF3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.CSharp.pdb P source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: C:\Users\user\Desktop\QUOTATION#08670.PDBYz source: QUOTATION#08670.exe, 00000000.00000002.2259070205.0000005985AF3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.CSharp.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: YpC:\Users\user\Desktop\QUOTATION#08670.PDB source: QUOTATION#08670.exe, 00000000.00000002.2259070205.0000005985AF3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.ni.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: QUOTATION#08670.PDB source: QUOTATION#08670.exe, 00000000.00000002.2259070205.0000005985AF3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: C:\Users\user\Desktop\QUOTATION#08670.PDB source: QUOTATION#08670.exe, 00000000.00000002.2259070205.0000005985AF3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: QUOTATION#08670.exe, 00000000.00000002.2259366070.000001CF969B9000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Users\user\Desktop\QUOTATION#08670.PDB source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: QUOTATION#08670.exe, 00000000.00000002.2259366070.000001CF96962000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D06000.00000004.00000020.00020000.00000000.sdmp, WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Core.pdb4 source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Core.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: YindoC:\Windows\System.Core.pdb source: QUOTATION#08670.exe, 00000000.00000002.2259070205.0000005985AF3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Dynamic.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.pdb0 source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdb8 source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: caspol.pdb source: newapp.exe, 0000000B.00000000.2329669563.0000000000FF2000.00000002.00000001.01000000.00000009.sdmp, newapp.exe.5.dr
                  Source: Binary string: System.Core.pdb source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D06000.00000004.00000020.00020000.00000000.sdmp, WER28F3.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdbx source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.Core.pdb) source: QUOTATION#08670.exe, 00000000.00000002.2262874808.000001CFB0D23000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER28F3.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER28F3.tmp.dmp.8.dr
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD3481F6BD push eax; ret 0_2_00007FFD3481F6E4
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD348000BD pushad ; iretd 0_2_00007FFD348000C1
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD34825DA2 push edx; iretd 0_2_00007FFD34825DA3
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD3480595B pushfd ; retf 0_2_00007FFD34805991
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD348059A5 push edx; retf 0_2_00007FFD348059DB
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeCode function: 0_2_00007FFD34910618 push esp; retf 4810h0_2_00007FFD34910762
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_06465350 pushfd ; ret 5_2_06465669
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_0646AF03 push es; ret 5_2_0646AF10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_064668E2 push esp; retf 5_2_064668E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_064668E0 pushad ; retf 5_2_064668E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 5_2_06465662 pushfd ; ret 5_2_06465669
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newappJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newappJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: QUOTATION#08670.exe PID: 3476, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeMemory allocated: 1CF96A90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeMemory allocated: 1CFB0340000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: D90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 4CC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 1860000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 33F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 3180000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: B10000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 2760000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 24A0000 memory reserve | memory write watch
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599750Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599630Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599513Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599155Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599011Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598482Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597814Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597571Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597455Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597331Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596954Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596704Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596455Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596317Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596132Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596025Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595907Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595795Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594811Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593907Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593782Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593657Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593543Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593422Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6860Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2856Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 4103Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 5718Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5388Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep count: 33 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5844Thread sleep count: 4103 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5844Thread sleep count: 5718 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -599750s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -599630s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -599513s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -599391s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -599266s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -599155s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -599011s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -598610s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -598482s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -598375s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -598265s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -598156s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -598047s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -597938s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -597814s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -597688s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -597571s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -597455s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -597331s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -597204s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -597079s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -596954s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -596829s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -596704s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -596579s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -596455s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -596317s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -596132s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -596025s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -595907s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -595795s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -595610s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -595484s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -595375s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -595266s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -595141s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -595031s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -594921s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -594811s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -594703s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -594594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -594485s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -594375s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -594266s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -594141s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -594016s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -593907s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -593782s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -593657s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -593543s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6684Thread sleep time: -593422s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 3816Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 5392Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\svchost.exe TID: 4232Thread sleep time: -30000s >= -30000s
                  Source: C:\Windows\System32\svchost.exe TID: 1132Thread sleep time: -30000s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599750Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599630Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599513Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599155Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 599011Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598482Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 598047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597814Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597571Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597455Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597331Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597204Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 597079Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596954Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596829Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596704Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596579Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596455Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596317Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596132Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 596025Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595907Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595795Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 595031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594811Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 594016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593907Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593782Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593657Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593543Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 593422Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477
                  Source: Amcache.hve.8.drBinary or memory string: VMware
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: svchost.exe, 0000001B.00000002.4408565698.000001E07B62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                  Source: svchost.exe, 0000001B.00000002.4409167396.000001E07CE5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                  Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: CasPol.exe, 00000005.00000002.4626426253.0000000005CC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                  Source: QUOTATION#08670.exe, 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                  Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -Force
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -ForceJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 440000Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 442000Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 8F6008Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -ForceJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                  Source: CasPol.exe, 00000005.00000002.4621214709.0000000002DAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                  Source: CasPol.exe, 00000005.00000002.4621214709.0000000002DAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q><b>[ Program Manager]</b> (11/12/2024 07:55:25)<br>{Win}r{Win}TH
                  Source: CasPol.exe, 00000005.00000002.4621214709.0000000002DAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: CasPol.exe, 00000005.00000002.4621214709.0000000002DAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q3<b>[ Program Manager]</b> (11/12/2024 07:55:25)<br>
                  Source: CasPol.exe, 00000005.00000002.4621214709.0000000002DCB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <html>Time: 12/28/2024 18:32:36<br>User Name: user<br>Computer Name: 302494<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.175<br><hr><b>[ Program Manager]</b> (11/12/2024 07:55:25)<br>{Win}r{Win}r</html>
                  Source: CasPol.exe, 00000005.00000002.4621214709.0000000002DAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q9<b>[ Program Manager]</b> (11/12/2024 07:55:25)<br>{Win}rTH
                  Source: CasPol.exe, 00000005.00000002.4621214709.0000000002DAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q?<b>[ Program Manager]</b> (11/12/2024 07:55:25)<br>{Win}r{Win}rTH
                  Source: CasPol.exe, 00000005.00000002.4621214709.0000000002DAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q8<b>[ Program Manager]</b> (11/12/2024 07:55:25)<br>{Win}TH
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeQueries volume information: C:\Users\user\Desktop\QUOTATION#08670.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Disables UAC (registry)
                  Source: C:\Users\user\Desktop\QUOTATION#08670.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                  Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4621214709.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4621214709.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4609800708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2260686823.000001CFA8351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: QUOTATION#08670.exe PID: 3476, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 4900, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4621214709.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4609800708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2260686823.000001CFA8351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: QUOTATION#08670.exe PID: 3476, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 4900, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#08670.exe.1cfa83cbf08.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION#08670.exe.1cfa838ecc0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4621214709.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4621214709.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4609800708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2260686823.000001CFA8351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: QUOTATION#08670.exe PID: 3476, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 4900, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		21
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Registry Run Keys / Startup Folder                  		212
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		34
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Registry Run Keys / Startup Folder                  		1
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		241
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  DLL Side-Loading                  		NTDS2
                  Process Discovery                  		Distributed Component Object Model21
                  Input Capture                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                  Masquerading                  		LSA Secrets161
                  Virtualization/Sandbox Evasion                  		SSH1
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts161
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items212
                  Process Injection                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Hidden Files and Directories                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572925 Sample: QUOTATION#08670.exe Startdate: 11/12/2024 Architecture: WINDOWS Score: 100 39 ftp.ercolina-usa.com 2->39 41 ercolina-usa.com 2->41 43 api.ipify.org 2->43 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 8 other signatures 2->57 8 QUOTATION#08670.exe 1 4 2->8         started        11 newapp.exe 2 2->11         started        13 newapp.exe 2->13         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 69 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->69 71 Writes to foreign memory regions 8->71 73 Adds a directory exclusion to Windows Defender 8->73 75 2 other signatures 8->75 18 CasPol.exe 16 6 8->18         started        23 powershell.exe 23 8->23         started        25 WerFault.exe 22 16 8->25         started        27 conhost.exe 8->27         started        29 conhost.exe 11->29         started        31 conhost.exe 13->31         started        49 127.0.0.1 unknown unknown 15->49 signatures6 process7 dnsIp8 45 ercolina-usa.com 192.254.225.136, 21, 49718, 49719 UNIFIEDLAYER-AS-1US United States 18->45 47 api.ipify.org 172.67.74.152, 443, 49715 CLOUDFLARENETUS United States 18->47 37 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 18->37 dropped 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->59 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->61 63 Tries to steal Mail credentials (via file / registry access) 18->63 67 4 other signatures 18->67 65 Loading BitLocker PowerShell Module 23->65 33 WmiPrvSE.exe 23->33         started        35 conhost.exe 23->35         started        file9 signatures10 process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  QUOTATION#08670.exe21%ReversingLabsWin64.Infostealer.Generic
                  QUOTATION#08670.exe31%VirustotalBrowse
                  QUOTATION#08670.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\newapp\newapp.exe0%ReversingLabs
                  C:\Users\user\AppData\Roaming\newapp\newapp.exe0%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  ercolina-usa.com0%VirustotalBrowse
                  ftp.ercolina-usa.com3%VirustotalBrowse

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ercolina-usa.com
                  		192.254.225.136
                  		truetrueunknown
                  api.ipify.org
                  		172.67.74.152
                  		truefalse
                    		high
                    ftp.ercolina-usa.com
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000001B.00000003.2760841753.000001E07CBC0000.00000004.00000800.00020000.00000000.sdmp, edb.log.27.drfalse
                        		high
                        http://crl.ver)svchost.exe, 0000001B.00000002.4409046537.000001E07CE00000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://api.ipify.orgQUOTATION#08670.exe, 00000000.00000002.2260686823.000001CFA8351000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4621214709.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4609800708.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://upx.sf.netAmcache.hve.8.drfalse
                              		high
                              https://g.live.com/odclientsettings/Prod1C:edb.log.27.drfalse
                                		high
                                https://account.dyn.com/QUOTATION#08670.exe, 00000000.00000002.2260686823.000001CFA8351000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4609800708.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.ipify.org/tCasPol.exe, 00000005.00000002.4621214709.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCasPol.exe, 00000005.00000002.4621214709.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://ftp.ercolina-usa.comCasPol.exe, 00000005.00000002.4621214709.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4621214709.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4621214709.0000000002DAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://ercolina-usa.comCasPol.exe, 00000005.00000002.4621214709.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4621214709.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.4621214709.0000000002DAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          192.254.225.136
                                          		ercolina-usa.comUnited States
                                          		46606UNIFIEDLAYER-AS-1UStrue
                                          172.67.74.152
                                          		api.ipify.orgUnited States
                                          		13335CLOUDFLARENETUSfalse

                                          Private

                                          IP
                                          127.0.0.1

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1572925
                                          Start date and time:2024-12-11 09:25:09 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 8m 27s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:29
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:QUOTATION#08670.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.expl.evad.winEXE@14/19@2/3
                                          EGA Information:
                                          • Successful, ratio: 50%
                                          HCA Information:
                                          • Successful, ratio: 74%
                                          • Number of executed functions: 112
                                          • Number of non-executed functions: 2
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 52.168.117.173, 2.16.229.162, 20.190.147.1, 20.223.35.26, 13.107.246.63, 20.190.181.2, 172.202.163.200, 23.206.197.11, 20.74.47.205, 150.171.28.10, 23.206.197.51
                                          • Excluded domains from analysis (whitelisted): www.bing.com, onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net
                                          • Execution Graph export aborted for target newapp.exe, PID 5720 because it is empty
                                          • Execution Graph export aborted for target newapp.exe, PID 948 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          03:26:11API Interceptor9064484x Sleep call for process: CasPol.exe modified
                                          03:26:13API Interceptor19x Sleep call for process: powershell.exe modified
                                          03:26:16API Interceptor1x Sleep call for process: WerFault.exe modified
                                          03:27:06API Interceptor3x Sleep call for process: svchost.exe modified
                                          09:26:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                          09:26:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          192.254.225.136SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                            TECHNICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                              uLFOeGZaJS.exeGet hashmaliciousAgentTeslaBrowse
                                                RICHIESTA D'OFFERTA.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                  QUOTATION#09678.exeGet hashmaliciousAgentTeslaBrowse
                                                    PURCHASE SPCIFICIATIONS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      LISTA DE COTIZACIONES.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        QUOTATION#5400.exeGet hashmaliciousAgentTeslaBrowse
                                                          QUOTATION#2800-QUANTUM MACTOOLS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            QUOTATION#2800-QUANTUM MACTOOLS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              172.67.74.152malware.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                              • api.ipify.org/
                                                              Simple1.exeGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/
                                                              Simple2.exeGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/
                                                              systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/
                                                              systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/
                                                              2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/
                                                              Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/
                                                              67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                                              • api.ipify.org/
                                                              Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                              • api.ipify.org/
                                                              4F08j2Rmd9.binGet hashmaliciousXmrigBrowse
                                                              • api.ipify.org/

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              api.ipify.orgINVOICE NO. USF23-24072 IGR23110.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 104.26.13.205
                                                              SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 104.26.13.205
                                                              EEMsLiXoiTzoaDd.scrGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 172.67.74.152
                                                              Statement 2024-11-29 (K07234).exeGet hashmaliciousAgentTeslaBrowse
                                                              • 104.26.12.205
                                                              Employee_Letter.pdfGet hashmaliciousHTMLPhisherBrowse
                                                              • 104.26.13.205
                                                              1mr7lpFIVI.exeGet hashmaliciousUnknownBrowse
                                                              • 104.26.12.205
                                                              jKDBppzWTb.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 172.67.74.152
                                                              enyi.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 104.26.13.205
                                                              proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 104.26.13.205
                                                              x.ps1Get hashmaliciousPureLog Stealer, QuasarBrowse
                                                              • 104.26.12.205

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              UNIFIEDLAYER-AS-1UShttps://zsuqwplt.cdrj.com.br/bfackjemFpbmFiLmFscmFobWFAZWphZGFoLmFlqmgtsjGet hashmaliciousUnknownBrowse
                                                              • 192.185.214.196
                                                              http://www.topbuildersolutions.net/clickthrough.aspx?rurl=https://search.app/?link=https://ZSUQWPLT.%63%64%72%6A%2E%63%6F%6D%2E%62%72%2FbfackjemFpbmFiLmFscmFobWFAZWphZGFoLmFlqmgtsj&eid=4070Get hashmaliciousUnknownBrowse
                                                              • 192.185.214.196
                                                              http://www.topbuildersolutions.net/clickthrough.aspx?rurl=https://search.app/?link=https://ARIQNEUB.cdrj.com.br%2Fxpkjxic2FidS5qb2huQGp1bWVpcmFoLmNvbQ==nishhe&eid=4070Get hashmaliciousUnknownBrowse
                                                              • 192.185.214.196
                                                              Hays eft_Receipt number N302143235953.htmGet hashmaliciousUnknownBrowse
                                                              • 69.49.245.172
                                                              EFT Remittance_(Deerequipment)CQDM.htmlGet hashmaliciousUnknownBrowse
                                                              • 69.49.245.172
                                                              https://vcsfi.kidsavancados.com/Get hashmaliciousCaptcha PhishBrowse
                                                              • 108.167.188.184
                                                              FG Or#U00e7amento JAN 2025.pdfGet hashmaliciousUnknownBrowse
                                                              • 108.167.132.213
                                                              INVOICE NO. USF23-24072 IGR23110.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 192.254.186.165
                                                              SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 192.254.225.136
                                                              ExternalREMITTANCE ACH SCHEDULED 1210241424bec0c449d38092c0dbd844252d73 (24.0 KB).msgGet hashmaliciousUnknownBrowse
                                                              • 69.49.245.172
                                                              CLOUDFLARENETUSDEC 2024 RFQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 104.21.67.152
                                                              LXS5itpTK7.exeGet hashmaliciousStealcBrowse
                                                              • 104.21.56.70
                                                              https://advertising-case-id419348.d1yaxxd8bf42y5.amplifyapp.com/Get hashmaliciousUnknownBrowse
                                                              • 104.26.5.15
                                                              apDMcnqqWs.exeGet hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              e8YDxjwJiT.exeGet hashmaliciousUnknownBrowse
                                                              • 104.21.27.3
                                                              TlNDyT2f5c.exeGet hashmaliciousUnknownBrowse
                                                              • 104.21.27.3
                                                              https://www.picotech.com/download/software/sr/PicoScope6_r6_14_69.exeGet hashmaliciousHavocBrowse
                                                              • 172.67.0.58
                                                              Itaxyhi.exeGet hashmaliciousPhemedrone StealerBrowse
                                                              • 172.67.70.233
                                                              SEejSLAS9f.exeGet hashmaliciousStealcBrowse
                                                              • 172.67.179.207
                                                              CJE003889.exeGet hashmaliciousFormBookBrowse
                                                              • 172.67.158.81

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0eDEC 2024 RFQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 172.67.74.152
                                                              apDMcnqqWs.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.74.152
                                                              e8YDxjwJiT.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.74.152
                                                              TlNDyT2f5c.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.74.152
                                                              Itaxyhi.exeGet hashmaliciousPhemedrone StealerBrowse
                                                              • 172.67.74.152
                                                              Aclatis tool.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.74.152
                                                              Aclatis tool.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.74.152
                                                              Confirm revised invoice to proceed with payment ASAP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                              • 172.67.74.152
                                                              751ietQPnX.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                              • 172.67.74.152

                                                              Dropped Files

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              C:\Users\user\AppData\Roaming\newapp\newapp.exeRequest for Quotation.pdf.exeGet hashmaliciousXWormBrowse
                                                                RFQ_PO_UMQ736-ORDER#MATERIALS-LQKP0489.exeGet hashmaliciousXWormBrowse
                                                                  SecuriteInfo.com.Win64.MalwareX-gen.2119.3372.exeGet hashmaliciousXWormBrowse
                                                                    PO_112234525626823775.jsGet hashmaliciousLokibotBrowse
                                                                      PO_5545356763 7767634763.exeGet hashmaliciousUnknownBrowse
                                                                        INV_35689.vbeGet hashmaliciousAveMaria, UACMeBrowse
                                                                          2KEOzMcha8.lnkGet hashmaliciousXWormBrowse
                                                                            0097-CGM CIGIEMME S.p.A.exeGet hashmaliciousAgentTeslaBrowse
                                                                              Halkbank_Ekstre_2024061918_088957_785452.xlxs.exeGet hashmaliciousAgentTeslaBrowse
                                                                                09820292829102.exeGet hashmaliciousAgentTeslaBrowse

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):8192
                                                                                  Entropy (8bit):0.35901589905449205
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:6xKdoaaD0JOCEfMuaaD0JOCEfMKQmDCexKdoaaD0JOCEfMuaaD0JOCEfMKQmDC:6aaD0JcaaD0JwQQHaaD0JcaaD0JwQQ
                                                                                  MD5:C788EDB928436D0CE10A5BF198837D8A
                                                                                  SHA1:F104B6AB797E0B16362BFB69F5000407CE6EFFD8
                                                                                  SHA-256:E309925E38D727B91C5B0AD9FC86A778ECD0EBE80261F55E870AD6685B0CC0BD
                                                                                  SHA-512:61F750C97F2E1EAF623486147F55B4BF39C34DF28DD124FA378973965A2AE0AAA967D71C88BE0D02E1B2D2B22E20199B9E817BE793A10C0CC9D12FE703E18CF2
                                                                                  Malicious:false
                                                                                  Preview:*.>...........k.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................k.............................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):0.7304447629050714
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0y:9JZj5MiKNnNhoxuT
                                                                                  MD5:C69178DF480B26C712A642B1B030882D
                                                                                  SHA1:329A4DA3FCCCF444C2185F587A07AE4A33AD0EC3
                                                                                  SHA-256:504030E0B6D1375CF72717F1E66A8C5FB2A85BCEC6A29BDB1407988F58FE9A31
                                                                                  SHA-512:44F7B361984264F7D6B916C090EDF6FD989EBF75914C02D378D9A606A79CBDAA4B89707B75346C9298690E736142A8AB204E8904B440088CEE2D6C89490F9E81
                                                                                  Malicious:false
                                                                                  Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:Extensible storage user DataBase, version 0x620, checksum 0xe633fadb, page size 16384, Windows version 10.0
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):0.629190155363816
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:XSB2ESB2SSjlK/HZH03N9Jdt8gYkr3g16l2UPkLk+kDWyrufTRryrUOLUzCJ:Xaza9iJa+2UtmOQOL
                                                                                  MD5:6488BC3868D9168FED09C66BAB8CF878
                                                                                  SHA1:87F4455440E65EA259930553F3866D599F53EB35
                                                                                  SHA-256:8CF0C861540F1AE0AA4B5D663230E2F78736CAD7E914D6F30CB9C74E07B7E85B
                                                                                  SHA-512:8D6DC7868491351394FF24F0B7FBB0E35AEA3D7EDF9B2B8B4504E691C572355B2264979F46A9D08A0E7B57165F2B65A0D7CCFEBE051D21C5F199B4783EE226E9
                                                                                  Malicious:false
                                                                                  Preview:.3..... .......P.......X\...;...{......................0.j..........|.......|..h.g..........|..0.j.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................r.......|....................X......|...........................#......0.j.....................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):16384
                                                                                  Entropy (8bit):0.07959283644269463
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:seS/WetYeUSustuGtlfu3k7cpMUpuAll/B8x7cGtlAllHol///lZMPCyH:snzHJXGU7YMGl+cGXApo5
                                                                                  MD5:352F57872AEC5BD2478D9DA0215894F8
                                                                                  SHA1:3632CDF41B946E9D23A3902D0AF2FD26B64EF6AE
                                                                                  SHA-256:45C3BA46B1347428EBF66FD83D58D381FDA6D1EE5FA0D17D15452BD9C2FF8C6F
                                                                                  SHA-512:D9F95725DE209C8E23F76964C5F816849E7776A91EAC0ED8CF87D566289FA358BAAD23088C1B596171A855F90DD479B184165D70EDC37A872DB4CC8072D26442
                                                                                  Malicious:false
                                                                                  Preview:.d'{.....................................;...{.......|.......|...............|.......|..TG.A.....|....................X......|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_QUOTATION#08670._ded9c2b02a112c627fa2bc189757858bd4a2e4_d27265d9_ca1fc45b-6ffd-4451-8c84-d2e0ed457cc6\Report.wer

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):65536
                                                                                  Entropy (8bit):1.1541425124364988
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:OsIjAdoG6on0M9odaWBBYtDGhzuiFpZ24lO8+w:OfqotDM9odamYWzuiFpY4lO8+
                                                                                  MD5:033381F6ADFD20DC31957B2768F1A282
                                                                                  SHA1:3C61A6CFB98B1513F3361235DB275333B1152AB9
                                                                                  SHA-256:1E5F24D1032516FC81BC2BE34E3C8052292EB665FE8C1095E836F1C68C3752FD
                                                                                  SHA-512:970C8E7B20CF0408C3050D703A6830800FB922CD7FD7D69513E187D572452253C33600CA9C1589B1EDA5C3F7C501C45A8614D47D77445FD8E7BC459C8CC6CF1F
                                                                                  Malicious:false
                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.3.7.9.1.6.8.3.9.9.4.9.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.3.7.9.1.7.1.4.1.5.1.4.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.a.1.f.c.4.5.b.-.6.f.f.d.-.4.4.5.1.-.8.c.8.4.-.d.2.e.0.e.d.4.5.7.c.c.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.9.b.4.6.0.f.-.c.c.e.5.-.4.b.6.8.-.a.c.5.3.-.6.c.9.1.2.0.e.a.6.8.9.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.Q.U.O.T.A.T.I.O.N.#.0.8.6.7.0...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.o.n.s.o.l.e.A.p.p.l.i.c.a.t.i.o.n.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.9.4.-.0.0.0.1.-.0.0.1.5.-.3.c.b.9.-.8.6.5.1.a.6.4.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.d.c.b.f.4.1.1.f.6.6.d.4.5.5.e.6.0.e.4.3.6.2.c.d.b.d.5.d.b.0.a.0.0.0.0.0.0.0.0.!.0.0.0.0.4.d.2.e.4.2.0.a.a.6.a.8.2.8.9.7.6.3.b.9.c.0.a.7.9.f.c.c.b.7.e.1.8.e.e.0.

                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER28F3.tmp.dmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                  File Type:Mini DuMP crash report, 16 streams, Wed Dec 11 08:26:10 2024, 0x1205a4 type
                                                                                  Category:dropped
                                                                                  Size (bytes):493857
                                                                                  Entropy (8bit):3.329037324067248
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:PQfIevpvLYoAwtMv4fKcSoeXLTNQlY1CCqEFO3+vNxknV0:PzAFLYoAjOC57qv3Q7ke
                                                                                  MD5:3E093F5425CA13F59BCE85F3C0A86720
                                                                                  SHA1:01C07D24959004353C714831EF26911B390A58FE
                                                                                  SHA-256:62C64216A896DB793BB29932A731C2577460F7949F647B3A67AFE5A090369FC2
                                                                                  SHA-512:05FB75371FD16DA7B4C191B7838756209AC6F5E9B949672EAA95A96FEB10AB066768193469E05F78EFBDE6705DDBF5F984D2C4FEC574B782B4BB0689B96F11C4
                                                                                  Malicious:false
                                                                                  Preview:MDMP..a..... ........LYg............t...........H...........$....%.......3...&.......o..j...........l.......8...........T............9..AO...........Y...........[..............................................................................eJ......L\......Lw......................T............LYg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3335.tmp.WERInternalMetadata.xml

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):8832
                                                                                  Entropy (8bit):3.7129118260093117
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:R6l7wVeJ3kO6Y2Dqmp9gmfZQkprV89bp0kfFDm:R6lXJUO6YGp9gmfaTpffs
                                                                                  MD5:EA48EAB9DEC1C2656022BB7A0923CB38
                                                                                  SHA1:B9BEC32F07B30ED9FEC4BA8A3E0329FD550D3562
                                                                                  SHA-256:C5EA70E859101569D524CADC024706DB56D972F9E31F8EC5DAAF803DDA1A7AA4
                                                                                  SHA-512:BEC8EF36A01707AF623B5E418DA101BC7956E32235077CC5FFA4DAD65A916428726840EB9F9CB02672FAE45F80B48E99781298A42882538C12E33B24C0309B58
                                                                                  Malicious:false
                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.7.6.<./.P.i.

                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3375.tmp.xml

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):4847
                                                                                  Entropy (8bit):4.539628516322753
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:cvIwWl8zsjJg771I97ipWpW8VYRYm8M4JhrSExFkyq8vfSEiVEYxNz0Nud:uIjf9I7lY7VZJhr74Wf7gEgNz0Nud
                                                                                  MD5:E50F3CFD1F561ECADE73C84C57F353FD
                                                                                  SHA1:83E9048EA951CB7967556E4E733AA60F1B044A48
                                                                                  SHA-256:DD3C7813633C61D7CB2397C266200F54F0489B209EEF92EDEF634FFCD9D7EA99
                                                                                  SHA-512:8F77BB15C7EABC2D2C34E6416555BFDCB30C789FB48692AEA28FAD1F8646AFFB6B7550CF86684EA72B0CE4FFA9623677A3A88BC59EAC8B271B83C25C9D4519C8
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="626368" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):42
                                                                                  Entropy (8bit):4.0050635535766075
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                                  MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                                  SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                                  SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                                  SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):64
                                                                                  Entropy (8bit):1.1940658735648508
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:NlllulDsU/lL:NllUw0l
                                                                                  MD5:40AD2DADD7C6A77A6CBDE5057E88E60A
                                                                                  SHA1:CF25D4A536DA991F8D656DAAFB7D6A26239264EA
                                                                                  SHA-256:8A1847256A0D388487F911FCE41E80E711DFF9CDCF09A7A3BB7465FB13867A66
                                                                                  SHA-512:3EEA710C6BAD9A37B60902DC731F37B72E22C98CEBE95C56F8A0A88FD1A5C479D46953D2547F55F26438C1ABC164E3FF8849CA8B385F1B699CB156846CE146C3
                                                                                  Malicious:false
                                                                                  Preview:@...e...................................1............@..........

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1othnnnn.rpl.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32ilg1sr.4n0.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0t2432c.whl.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tt0wu3gx.nko.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Roaming\newapp\newapp.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:modified
                                                                                  Size (bytes):108664
                                                                                  Entropy (8bit):5.8959760602012965
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:QSF7vA1hRqHNxxMjlI3ZC+0CtOss6mdcQ6A4vhZ91RKGpQJN:nA1hYPMUs6mdclA4vhNRKG4N
                                                                                  MD5:914F728C04D3EDDD5FBA59420E74E56B
                                                                                  SHA1:8C68CA3F013C490161C0156EF359AF03594AE5E2
                                                                                  SHA-256:7D3BDB5B7EE9685C7C18C0C3272DA2A593F6C5C326F1EA67F22AAE27C57BA1E6
                                                                                  SHA-512:D7E49B361544BA22A0C66CF097E9D84DB4F3759FBCC20386251CAAC6DA80C591861C1468CB7A102EEE1A1F86C974086EBC61DE4027F9CD22AD06D63550400D6D
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                  Joe Sandbox View:
                                                                                  • Filename: Request for Quotation.pdf.exe, Detection: malicious, Browse
                                                                                  • Filename: RFQ_PO_UMQ736-ORDER#MATERIALS-LQKP0489.exe, Detection: malicious, Browse
                                                                                  • Filename: SecuriteInfo.com.Win64.MalwareX-gen.2119.3372.exe, Detection: malicious, Browse
                                                                                  • Filename: PO_112234525626823775.js, Detection: malicious, Browse
                                                                                  • Filename: PO_5545356763 7767634763.exe, Detection: malicious, Browse
                                                                                  • Filename: INV_35689.vbe, Detection: malicious, Browse
                                                                                  • Filename: 2KEOzMcha8.lnk, Detection: malicious, Browse
                                                                                  • Filename: 0097-CGM CIGIEMME S.p.A.exe, Detection: malicious, Browse
                                                                                  • Filename: Halkbank_Ekstre_2024061918_088957_785452.xlxs.exe, Detection: malicious, Browse
                                                                                  • Filename: 09820292829102.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..X...........v... ........@.. ..............................O.....`.................................\v..O.......$............f..xB..........$u............................................... ............... ..H............text....V... ...X.................. ..`.rsrc...$............Z..............@..@.reloc...............d..............@..B.................v......H.......(...................xE..$t......................................2~P....o....*.r...p(....*VrK..p(....s.....P...*..0.._.......~....:O....>.....%.rm..p...A...s......su....%.r...p...A...s....rm..p.su....%.r...p...B...s......su....%.r...p...B...s....r...p.su....%.r...p...C...s......su....%.r...p...C...s....r...p.su....%.r...p...D...s......su....%.r...p...D...s....r...p.su....%.r...p...E...s......su....%..r...p...E...s....r...p.su....%..r...p...F...s......su....%..r...p...F

                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):55
                                                                                  Entropy (8bit):4.306461250274409
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                  Malicious:false
                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                  Category:dropped
                                                                                  Size (bytes):1835008
                                                                                  Entropy (8bit):4.468940287709282
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:szZfpi6ceLPx9skLmb0f4ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNNjDH5S:SZHt4ZWOKnMM6bFpXj4
                                                                                  MD5:91A2E3054F3D8AD97DBF3782AD4C4CCF
                                                                                  SHA1:3103421C51009F5FC79EF67453832B8A15D1E3C1
                                                                                  SHA-256:26E52FA0CF50D48506FA4AC34CA88FF7ECFFA032EE02107856F3A8CA654F43ED
                                                                                  SHA-512:D2FB0419D9EDDD64FB01BA142C330997EC518AE0D444481086DD05EEC5E3B3051E281565B3DD9F1AF5080AAF84FC8EE3F09AF5DC4EBABCDE83D2743F136935A1
                                                                                  Malicious:false
                                                                                  Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..S.K................................................................................................................................................................................................................................................................................................................................................g........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  \Device\ConDrv

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):486
                                                                                  Entropy (8bit):5.043661544202442
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:z30d30C4BFNY8fNFquci7S1pE+DPOCN6+QOH5JyY:z3I3+DO4UE+Tz5JB
                                                                                  MD5:323764DD20845C0EE00598E8EE35467C
                                                                                  SHA1:7A3DC131CCF4B3A41893F83C553193267A7F654F
                                                                                  SHA-256:7DEBA11FDF38735A63038192BF033BAE7F49E72E598F0AEFD3FC626477A31FEF
                                                                                  SHA-512:BF353BCB64D65024C7E627788D32087C15EC5F8780AACF61D57BC22923F2283D0A5ED389CA644270013835EF26269F2E5EEE4ED610AC88254855DE80D67F3700
                                                                                  Malicious:false
                                                                                  Preview:Microsoft .NET Framework CasPol 4.8.4084.0..for Microsoft .NET Framework version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....WARNING: The .NET Framework does not apply CAS policy by default. Any settings shown or modified by CasPol will only ..affect applications that opt into using CAS policy. ....Please see http://go.microsoft.com/fwlink/?LinkId=131738 for more information. ......ERROR: Not enough arguments....For usage information, use 'caspol -?'..

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):7.996657860029066
                                                                                  TrID:
                                                                                  • Win64 Executable Console Net Framework (206006/5) 48.58%
                                                                                  • Win64 Executable Console (202006/5) 47.64%
                                                                                  • Win64 Executable (generic) (12005/4) 2.83%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.47%
                                                                                  • DOS Executable Generic (2002/1) 0.47%
                                                                                  File name:QUOTATION#08670.exe
                                                                                  File size:604'296 bytes
                                                                                  MD5:93bdfd46628601b04ea067e5f52187d7
                                                                                  SHA1:4d2e420aa6a8289763b9c0a79fccb7e18ee02294
                                                                                  SHA256:f2d566b1b667cf8ea8c35f2827f62e7430941e1fdd13019811768e3a942ec926
                                                                                  SHA512:1397ea8a0b29caa8497bc4efb4c20652980c2c76f617a2c235b925bb1ddd7c830f2b661feca5674b002479d230b78240455afa6a31c4854dba3229b903bb8f8c
                                                                                  SSDEEP:12288:0ZgE2xCedYZjsPmHfw+KsbAMgqURZyaRbN7RjVI06fbXB12dzJJVNcxWq:0ZgEa7dYlsPm/msR1QfJI591ezJHNcH
                                                                                  TLSH:66D4232DBBC84325E16CD7B2D4737C609459A8CF2C422B7B20C6D959C51E3A9079CFEA
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...fWXg.........."...0.(................ ....@...... .......................`............`................................

                                                                                  File Icon

                                                                                  Icon Hash:00928e8e8686b000

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x400000
                                                                                  Entrypoint Section:
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows cui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x67585766 [Tue Dec 10 14:59:50 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  dec ebp
                                                                                  pop edx
                                                                                  nop
                                                                                  add byte ptr [ebx], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax+eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x5f6.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000x1e280x2000cbca7638eda5f70dee187f0246c4577bFalse0.604736328125data6.055618071226943IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x40000x5f60x6005826f3aed3590dec1a7579511b38ce91False0.4205729166666667data4.182503871777562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_VERSION0x40a00x36cdata0.3972602739726027
                                                                                  RT_MANIFEST0x440c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 11, 2024 09:26:08.867377043 CET49715443192.168.2.6172.67.74.152
                                                                                  Dec 11, 2024 09:26:08.867417097 CET44349715172.67.74.152192.168.2.6
                                                                                  Dec 11, 2024 09:26:08.868853092 CET49715443192.168.2.6172.67.74.152
                                                                                  Dec 11, 2024 09:26:08.921477079 CET49715443192.168.2.6172.67.74.152
                                                                                  Dec 11, 2024 09:26:08.921498060 CET44349715172.67.74.152192.168.2.6
                                                                                  Dec 11, 2024 09:26:10.142571926 CET44349715172.67.74.152192.168.2.6
                                                                                  Dec 11, 2024 09:26:10.142677069 CET49715443192.168.2.6172.67.74.152
                                                                                  Dec 11, 2024 09:26:10.170567989 CET49715443192.168.2.6172.67.74.152
                                                                                  Dec 11, 2024 09:26:10.170588017 CET44349715172.67.74.152192.168.2.6
                                                                                  Dec 11, 2024 09:26:10.170830011 CET44349715172.67.74.152192.168.2.6
                                                                                  Dec 11, 2024 09:26:10.364346027 CET49715443192.168.2.6172.67.74.152
                                                                                  Dec 11, 2024 09:26:10.846026897 CET49715443192.168.2.6172.67.74.152
                                                                                  Dec 11, 2024 09:26:10.891340017 CET44349715172.67.74.152192.168.2.6
                                                                                  Dec 11, 2024 09:26:11.178541899 CET44349715172.67.74.152192.168.2.6
                                                                                  Dec 11, 2024 09:26:11.178601980 CET44349715172.67.74.152192.168.2.6
                                                                                  Dec 11, 2024 09:26:11.178668022 CET49715443192.168.2.6172.67.74.152
                                                                                  Dec 11, 2024 09:26:11.218447924 CET49715443192.168.2.6172.67.74.152
                                                                                  Dec 11, 2024 09:26:13.215630054 CET4971821192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:13.336097002 CET2149718192.254.225.136192.168.2.6
                                                                                  Dec 11, 2024 09:26:13.336729050 CET4971821192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:13.363349915 CET4971821192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:13.484947920 CET2149718192.254.225.136192.168.2.6
                                                                                  Dec 11, 2024 09:26:13.488395929 CET4971821192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:13.713069916 CET4971921192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:13.833697081 CET2149719192.254.225.136192.168.2.6
                                                                                  Dec 11, 2024 09:26:13.833777905 CET4971921192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:13.833996058 CET4971921192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:13.835439920 CET4972021192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:13.954716921 CET2149719192.254.225.136192.168.2.6
                                                                                  Dec 11, 2024 09:26:13.954807043 CET4971921192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:13.955890894 CET2149720192.254.225.136192.168.2.6
                                                                                  Dec 11, 2024 09:26:13.955986023 CET4972021192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:13.956193924 CET4972021192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:13.957678080 CET4972121192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:14.077338934 CET2149720192.254.225.136192.168.2.6
                                                                                  Dec 11, 2024 09:26:14.077393055 CET4972021192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:14.078254938 CET2149721192.254.225.136192.168.2.6
                                                                                  Dec 11, 2024 09:26:14.078373909 CET4972121192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:14.078541994 CET4972121192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:26:14.199629068 CET2149721192.254.225.136192.168.2.6
                                                                                  Dec 11, 2024 09:26:14.200269938 CET4972121192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:27:56.049801111 CET4998421192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:27:56.170242071 CET2149984192.254.225.136192.168.2.6
                                                                                  Dec 11, 2024 09:27:56.170783997 CET4998421192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:27:56.174698114 CET4998421192.168.2.6192.254.225.136
                                                                                  Dec 11, 2024 09:27:56.295253038 CET2149984192.254.225.136192.168.2.6
                                                                                  Dec 11, 2024 09:27:56.297162056 CET4998421192.168.2.6192.254.225.136

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 11, 2024 09:26:08.722477913 CET5198953192.168.2.61.1.1.1
                                                                                  Dec 11, 2024 09:26:08.861620903 CET53519891.1.1.1192.168.2.6
                                                                                  Dec 11, 2024 09:26:12.346748114 CET6527753192.168.2.61.1.1.1
                                                                                  Dec 11, 2024 09:26:13.181478024 CET53652771.1.1.1192.168.2.6

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Dec 11, 2024 09:26:08.722477913 CET192.168.2.61.1.1.10x6d26Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                  Dec 11, 2024 09:26:12.346748114 CET192.168.2.61.1.1.10xbe14Standard query (0)ftp.ercolina-usa.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Dec 11, 2024 09:26:08.861620903 CET1.1.1.1192.168.2.60x6d26No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                  Dec 11, 2024 09:26:08.861620903 CET1.1.1.1192.168.2.60x6d26No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                  Dec 11, 2024 09:26:08.861620903 CET1.1.1.1192.168.2.60x6d26No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                  Dec 11, 2024 09:26:13.181478024 CET1.1.1.1192.168.2.60xbe14No error (0)ftp.ercolina-usa.comercolina-usa.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 11, 2024 09:26:13.181478024 CET1.1.1.1192.168.2.60xbe14No error (0)ercolina-usa.com192.254.225.136A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • api.ipify.org

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.649715172.67.74.1524434900C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-11 08:26:10 UTC155OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                  Host: api.ipify.org
                                                                                  Connection: Keep-Alive
                                                                                  2024-12-11 08:26:11 UTC425INHTTP/1.1 200 OK
                                                                                  Date: Wed, 11 Dec 2024 08:26:11 GMT
                                                                                  Content-Type: text/plain
                                                                                  Content-Length: 12
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8f04169acf044245-EWR
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1573&min_rtt=1564&rtt_var=606&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1778319&cwnd=187&unsent_bytes=0&cid=2e46955a71db2b49&ts=1044&x=0"
                                                                                  2024-12-11 08:26:11 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35
                                                                                  Data Ascii: 8.46.123.175


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:03:26:04
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Users\user\Desktop\QUOTATION#08670.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\Desktop\QUOTATION#08670.exe"
                                                                                  Imagebase:0x1cf96750000
                                                                                  File size:604'296 bytes
                                                                                  MD5 hash:93BDFD46628601B04EA067E5F52187D7
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2259784482.000001CF98408000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2260686823.000001CFA8351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2260686823.000001CFA8351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:03:26:04
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:03:26:07
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION#08670.exe" -Force
                                                                                  Imagebase:0x7ff6e3d50000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:03:26:07
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:03:26:07
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                  Imagebase:0x6e0000
                                                                                  File size:108'664 bytes
                                                                                  MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4621214709.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4621214709.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4621214709.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4609800708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4609800708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:03:26:07
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 3476 -s 1468
                                                                                  Imagebase:0x7ff76ffa0000
                                                                                  File size:570'736 bytes
                                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:03:26:14
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                  Imagebase:0x7ff717f30000
                                                                                  File size:496'640 bytes
                                                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:03:26:23
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                                                                                  Imagebase:0xff0000
                                                                                  File size:108'664 bytes
                                                                                  MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 0%, ReversingLabs
                                                                                  • Detection: 0%, Virustotal, Browse
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:12
                                                                                  Start time:03:26:23
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:13
                                                                                  Start time:03:26:31
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                                                                                  Imagebase:0x2e0000
                                                                                  File size:108'664 bytes
                                                                                  MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:14
                                                                                  Start time:03:26:31
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:27
                                                                                  Start time:03:27:06
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                  Imagebase:0x7ff7403e0000
                                                                                  File size:55'320 bytes
                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:10.3%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:3
                                                                                    Total number of Limit Nodes:0
                                                                                    execution_graph 30488 7ffd34800cc9 30489 7ffd34800cd1 FreeConsole 30488->30489 30491 7ffd34800d8e 30489->30491

                                                                                    Executed Functions

                                                                                    Function 00007FFD348011D0 Relevance: 7.4, Strings: 5, Instructions: 1179COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 0 7ffd348011d0-7ffd34829d8e 2 7ffd34829d90-7ffd34829da0 0->2 3 7ffd34829da1-7ffd34829da4 0->3 2->3 5 7ffd34829dd2-7ffd34829dd8 3->5 6 7ffd34829da6-7ffd34829dac 3->6 9 7ffd34829deb-7ffd34829dee 5->9 10 7ffd34829dda-7ffd34829dea 5->10 7 7ffd34829dbf-7ffd34829dcd call 7ffd34801270 6->7 8 7ffd34829dae-7ffd34829dbe 6->8 26 7ffd34829f14-7ffd34829f21 7->26 8->7 12 7ffd34829df0-7ffd34829df6 9->12 13 7ffd34829e1c-7ffd34829e22 9->13 10->9 16 7ffd34829df8-7ffd34829e08 12->16 17 7ffd34829e09-7ffd34829e17 call 7ffd34801268 12->17 18 7ffd34829e24-7ffd34829e34 13->18 19 7ffd34829e35-7ffd34829e38 13->19 16->17 17->26 18->19 24 7ffd34829e66-7ffd34829e6c 19->24 25 7ffd34829e3a-7ffd34829e40 19->25 27 7ffd34829e7f-7ffd34829e82 24->27 28 7ffd34829e6e-7ffd34829e7e 24->28 30 7ffd34829e53-7ffd34829e61 call 7ffd348012a8 25->30 31 7ffd34829e42-7ffd34829e52 25->31 34 7ffd34829f22-7ffd34829f3a 27->34 35 7ffd34829e88-7ffd34829e8e 27->35 28->27 30->26 31->30 41 7ffd34829f65-7ffd34829f6b 34->41 42 7ffd34829f3c-7ffd34829f5e call 7ffd34821610 call 7ffd34801238 34->42 38 7ffd34829e90-7ffd34829e9d 35->38 39 7ffd34829ea2-7ffd34829eaa 35->39 38->39 49 7ffd34829e9f-7ffd34829ea0 38->49 44 7ffd34829eb0-7ffd34829ec6 39->44 45 7ffd3482a10c-7ffd3482a14d call 7ffd34806270 39->45 47 7ffd34829f6d-7ffd34829f7d 41->47 48 7ffd34829f7e-7ffd34829f81 41->48 65 7ffd34829f63 42->65 44->26 60 7ffd3482a14e-7ffd3482a160 45->60 47->48 53 7ffd34829fc0-7ffd34829fc6 48->53 54 7ffd34829f83-7ffd34829f87 48->54 49->39 56 7ffd34829fc8-7ffd34829fd8 53->56 57 7ffd34829fd9-7ffd34829fdc 53->57 59 7ffd34829f8d-7ffd34829fb6 call 7ffd34801290 54->59 54->60 56->57 63 7ffd34829fde-7ffd3482a000 call 7ffd348011f0 57->63 64 7ffd3482a037-7ffd3482a03d 57->64 86 7ffd34829fbb 59->86 76 7ffd3482a163-7ffd3482a1d0 60->76 77 7ffd3482a162 60->77 63->60 82 7ffd3482a006-7ffd3482a032 call 7ffd34801290 63->82 70 7ffd3482a03f-7ffd3482a04f 64->70 71 7ffd3482a050-7ffd3482a053 64->71 65->26 70->71 72 7ffd3482a081-7ffd3482a087 71->72 73 7ffd3482a055-7ffd3482a05b 71->73 83 7ffd3482a089-7ffd3482a099 72->83 84 7ffd3482a09a-7ffd3482a09d 72->84 80 7ffd3482a05d-7ffd3482a06d 73->80 81 7ffd3482a06e-7ffd3482a07c call 7ffd348012a8 73->81 97 7ffd3482a1d2-7ffd3482a1df call 7ffd348233c0 76->97 98 7ffd3482a1e5-7ffd3482a1fd 76->98 77->76 80->81 81->72 82->64 83->84 92 7ffd3482a09f-7ffd3482a0a5 84->92 93 7ffd3482a0cb-7ffd3482a105 call 7ffd34806270 84->93 86->26 99 7ffd3482a0a7-7ffd3482a0b7 92->99 100 7ffd3482a0b8-7ffd3482a0c6 call 7ffd348012b0 92->100 93->45 97->98 116 7ffd3482a84c-7ffd3482a886 call 7ffd34806270 97->116 107 7ffd3482a1ff-7ffd3482a202 98->107 108 7ffd3482a204-7ffd3482a22f 98->108 99->100 100->93 113 7ffd3482a231-7ffd3482a2d1 call 7ffd34821280 call 7ffd348285b0 call 7ffd34829c50 107->113 108->113 137 7ffd3482a2d3-7ffd3482a2d6 call 7ffd3481ef40 113->137 138 7ffd3482a2db-7ffd3482a2e7 113->138 131 7ffd3482a88d-7ffd3482a899 116->131 135 7ffd3482a8e6-7ffd3482a908 call 7ffd34806270 131->135 136 7ffd3482a89b-7ffd3482a8c7 call 7ffd34806270 131->136 157 7ffd3482a90f-7ffd3482a924 135->157 154 7ffd3482a8c9-7ffd3482a8da 136->154 137->138 138->131 142 7ffd3482a2ed-7ffd3482a333 call 7ffd34801200 138->142 150 7ffd3482a338-7ffd3482a353 142->150 155 7ffd3482a355 150->155 156 7ffd3482a359-7ffd3482a370 150->156 161 7ffd3482a927-7ffd3482a939 154->161 162 7ffd3482a8dc-7ffd3482a8e5 154->162 155->156 163 7ffd3482a6f5-7ffd3482a713 156->163 164 7ffd3482a376-7ffd3482a3f9 call 7ffd34821280 156->164 157->161 161->154 168 7ffd3482a93b-7ffd3482a997 call 7ffd34810e30 161->168 162->135 164->157 184 7ffd3482a3ff-7ffd3482a47f call 7ffd348285b0 call 7ffd34829c50 164->184 177 7ffd3482a9a6-7ffd3482a9b8 168->177 178 7ffd3482a999-7ffd3482a9a4 call 7ffd34809bb0 168->178 185 7ffd3482a9ba 177->185 178->177 191 7ffd3482a481-7ffd3482a484 call 7ffd3481ef40 184->191 192 7ffd3482a489-7ffd3482a4f5 184->192 185->185 191->192 199 7ffd3482a4ff-7ffd3482a519 192->199 200 7ffd3482a4f7-7ffd3482a4fd 192->200 201 7ffd3482a51f-7ffd3482a522 199->201 200->201 202 7ffd3482a524-7ffd3482a526 201->202 203 7ffd3482a528-7ffd3482a541 201->203 204 7ffd3482a599-7ffd3482a5a6 call 7ffd348139a0 202->204 203->204 206 7ffd3482a5c2-7ffd3482a5d5 203->206 210 7ffd3482a5f7-7ffd3482a610 204->210 211 7ffd3482a5a8-7ffd3482a5c1 204->211 208 7ffd3482a5dc-7ffd3482a5f2 call 7ffd34801298 206->208 208->210 214 7ffd3482a6ef-7ffd3482a6f3 210->214 215 7ffd3482a616-7ffd3482a638 210->215 211->157 219 7ffd3482a5c7-7ffd3482a5d5 211->219 214->163 215->163 218 7ffd3482a63e-7ffd3482a64c 215->218 221 7ffd3482a64e-7ffd3482a665 218->221 222 7ffd3482a6cc 218->222 219->208 223 7ffd3482a670-7ffd3482a6ac 221->223 224 7ffd3482a667-7ffd3482a66a 221->224 224->223
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2265041646.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34800000_QUOTATION#08670.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: xo4$xo4$xo4$xo4$xo4
                                                                                    • API String ID: 0-2346567174
                                                                                    • Opcode ID: abc185d03921c65bad59da1ea281c6224515653cd8d5505f075bdb179221ba32
                                                                                    • Instruction ID: b8b39dad56b0cef7c646c608952606b69b7782814b39cbb28495129a6cc8b000
                                                                                    • Opcode Fuzzy Hash: abc185d03921c65bad59da1ea281c6224515653cd8d5505f075bdb179221ba32
                                                                                    • Instruction Fuzzy Hash: 31720671B0DA4A4FEBA8DB1C48A56B977D2EF8A754F0401BED54DC3293DD28EC029781
                                                                                    Function 00007FFD34802168 Relevance: 4.8, Strings: 2, Instructions: 2258COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2265041646.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34800000_QUOTATION#08670.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: L$fL_H
                                                                                    • API String ID: 0-3757094450
                                                                                    • Opcode ID: 0f51a1090109f28bdfe0a1415f439b35e22d93dad64cd96fe647877c78338c9d
                                                                                    • Instruction ID: b175c841d5ca003c3813b40a5dbb31779eb230d71e274265dce83602f5be49a1
                                                                                    • Opcode Fuzzy Hash: 0f51a1090109f28bdfe0a1415f439b35e22d93dad64cd96fe647877c78338c9d
                                                                                    • Instruction Fuzzy Hash: FAE2C531B1C90A4FEBA8DB1C94A5A7473D1EFAA314B1401BBD54EC72A2DD29FC42D781
                                                                                    Function 00007FFD34802F80 Relevance: 2.1, Strings: 1, Instructions: 844COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1113 7ffd34802f80-7ffd3483160e call 7ffd3482da90 1117 7ffd34831610-7ffd34831629 1113->1117 1118 7ffd3483162b 1113->1118 1120 7ffd3483162d-7ffd3483163a call 7ffd3482d328 1117->1120 1118->1120 1122 7ffd3483163f-7ffd3483164a 1120->1122 1123 7ffd3483164c-7ffd34831665 1122->1123 1124 7ffd3483166a-7ffd348316a0 call 7ffd3482d330 1122->1124 1123->1124 1127 7ffd34831667-7ffd34831668 1123->1127 1130 7ffd348322ed-7ffd348322f2 1124->1130 1131 7ffd348316a6-7ffd348316b5 1124->1131 1127->1124 1132 7ffd348316c0-7ffd348316f1 1130->1132 1133 7ffd348322f8-7ffd34832305 1130->1133 1134 7ffd34832310-7ffd34832318 1131->1134 1135 7ffd348316bb 1131->1135 1140 7ffd348316f3-7ffd348316f4 1132->1140 1141 7ffd348316f6-7ffd348316fe 1132->1141 1133->1132 1136 7ffd3483230b 1133->1136 1137 7ffd3483231e-7ffd34832351 1134->1137 1138 7ffd34832859-7ffd3483286d 1134->1138 1135->1138 1136->1138 1142 7ffd3483286e-7ffd348328b3 1137->1142 1143 7ffd34832357-7ffd3483237e 1137->1143 1140->1141 1144 7ffd34831700-7ffd3483170f call 7ffd34802f90 1141->1144 1145 7ffd34831714-7ffd34832293 call 7ffd34802808 1141->1145 1155 7ffd348328b5-7ffd348328b7 1142->1155 1150 7ffd34832380-7ffd34832383 1143->1150 1151 7ffd34832385-7ffd34832389 1143->1151 1144->1145 1160 7ffd348322cf-7ffd348322d6 1145->1160 1161 7ffd34832295-7ffd3483229c 1145->1161 1154 7ffd3483238c-7ffd3483238f 1150->1154 1151->1154 1157 7ffd34832391-7ffd34832393 1154->1157 1158 7ffd34832395-7ffd348323c2 call 7ffd348186d0 call 7ffd34818780 1154->1158 1155->1155 1159 7ffd348328b9-7ffd348328c9 call 7ffd3482d330 1155->1159 1162 7ffd348323d7-7ffd348323ee 1157->1162 1158->1162 1185 7ffd348323c4-7ffd348323d5 call 7ffd34801f58 1158->1185 1177 7ffd348328d5-7ffd348328da 1159->1177 1168 7ffd348322d8-7ffd348322e6 call 7ffd3482d320 1160->1168 1166 7ffd3483229e-7ffd348322b5 1161->1166 1167 7ffd348322c6-7ffd348322cd 1161->1167 1162->1138 1173 7ffd348323f4-7ffd348323f8 1162->1173 1166->1168 1174 7ffd348322b7-7ffd348322c4 call 7ffd3482d320 1166->1174 1167->1168 1168->1130 1173->1138 1178 7ffd348323fe-7ffd34832485 1173->1178 1174->1134 1182 7ffd348328cb-7ffd348328d0 call 7ffd3482d320 1177->1182 1183 7ffd348328dc-7ffd348328e9 1177->1183 1194 7ffd34832487-7ffd34832494 1178->1194 1195 7ffd348324ea-7ffd348324ff 1178->1195 1182->1177 1183->1182 1187 7ffd348328eb-7ffd348328f4 1183->1187 1185->1162 1194->1195 1196 7ffd34832496-7ffd348324a4 1194->1196 1197 7ffd348327fb-7ffd34832800 1195->1197 1196->1142 1198 7ffd348324aa-7ffd348324b8 1196->1198 1199 7ffd34832504-7ffd3483250e 1197->1199 1200 7ffd34832806-7ffd34832813 1197->1200 1202 7ffd348324c8-7ffd348324e5 call 7ffd34802808 1198->1202 1203 7ffd348324ba-7ffd348324c3 call 7ffd34802810 1198->1203 1204 7ffd3483269e-7ffd348326b1 1199->1204 1205 7ffd34832514-7ffd34832522 1199->1205 1200->1199 1201 7ffd34832819-7ffd34832825 1200->1201 1201->1142 1206 7ffd34832827-7ffd34832854 call 7ffd34802808 1201->1206 1202->1138 1203->1202 1211 7ffd348326b3 1204->1211 1205->1204 1209 7ffd34832528-7ffd3483264c call 7ffd34821558 * 2 call 7ffd348222f0 1205->1209 1206->1138 1249 7ffd3483264e-7ffd34832684 call 7ffd34827b10 * 2 1209->1249 1250 7ffd34832686 1209->1250 1211->1211 1214 7ffd348326b5-7ffd3483279b call 7ffd348222f0 1211->1214 1241 7ffd3483279d-7ffd348327cc call 7ffd34827b10 * 2 1214->1241 1242 7ffd348327ce-7ffd348327cf 1214->1242 1245 7ffd348327d1-7ffd348327f6 call 7ffd34802808 call 7ffd3482d320 1241->1245 1242->1245 1245->1197 1255 7ffd34832688-7ffd34832699 1249->1255 1250->1255 1255->1245
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2265041646.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34800000_QUOTATION#08670.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (
                                                                                    • API String ID: 0-3887548279
                                                                                    • Opcode ID: 0558accd8d6ca9c0835d2ed54d5182d4974924e8b719fb954e6e538194bb2ab4
                                                                                    • Instruction ID: 86a87858e19d632533612bd8445a87b935d6efa6ec4204acc26c2471a35fccc9
                                                                                    • Opcode Fuzzy Hash: 0558accd8d6ca9c0835d2ed54d5182d4974924e8b719fb954e6e538194bb2ab4
                                                                                    • Instruction Fuzzy Hash: EE429134B1CA498FDBA8DB18C4A5AB973D1FF99300F14467EE54EC7292CE38E8819741
                                                                                    Function 00007FFD34802F48 Relevance: 1.2, Instructions: 1198COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2265041646.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34800000_QUOTATION#08670.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 355655785eabf6095afa3d8a489691403e4e50f4f4a9e40daa0b60789c3623d2
                                                                                    • Instruction ID: a07767f47e885ec127d178781f57104f2d8c6874ce712b9fe7bc0f0cac2cf026
                                                                                    • Opcode Fuzzy Hash: 355655785eabf6095afa3d8a489691403e4e50f4f4a9e40daa0b60789c3623d2
                                                                                    • Instruction Fuzzy Hash: 3482A035B18E0A4FEBA8DB1884B567573D1FF9A344B1442B9D58EC7386DE28EC429780
                                                                                    Function 00007FFD3482B460 Relevance: .9, Instructions: 862COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2265041646.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34800000_QUOTATION#08670.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e23a0140cc74d6bc559c1a75c89647c6b439ee74198c9fbd94e8d5d0e428078e
                                                                                    • Instruction ID: 3094e44bc8c25657c791b9a8be5239aca15d7488f5b4470da393e1bf0319eb0f
                                                                                    • Opcode Fuzzy Hash: e23a0140cc74d6bc559c1a75c89647c6b439ee74198c9fbd94e8d5d0e428078e
                                                                                    • Instruction Fuzzy Hash: F2428231718E064FDBA8EB18C4A1A75B3E1FFA9344B1445BDD44EC7686CE39F8868784
                                                                                    Function 00007FFD3482B3E8 Relevance: .7, Instructions: 742COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2265041646.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34800000_QUOTATION#08670.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4f50dfa40591d6a39c5c92f2b0ebb5a95ef147ad2ea9ba9ba947dca7c1313cd0
                                                                                    • Instruction ID: e041c5823864fc004942cf68175bbc7ca12e06c8131d316f9e59bca52f4b77f6
                                                                                    • Opcode Fuzzy Hash: 4f50dfa40591d6a39c5c92f2b0ebb5a95ef147ad2ea9ba9ba947dca7c1313cd0
                                                                                    • Instruction Fuzzy Hash: B2422C30A18A0A8FEBA8DB18C4A4BB973E1FF59344F1041B9D54ED7291DE39F885DB41
                                                                                    Function 00007FFD34800CC9 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1681 7ffd34800cc9-7ffd34800ccf 1682 7ffd34800cda-7ffd34800ceb 1681->1682 1683 7ffd34800cd1-7ffd34800cd9 1681->1683 1684 7ffd34800cf6-7ffd34800d8c FreeConsole 1682->1684 1685 7ffd34800ced-7ffd34800cf5 1682->1685 1683->1682 1688 7ffd34800d94-7ffd34800dbb 1684->1688 1689 7ffd34800d8e 1684->1689 1685->1684 1689->1688
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2265041646.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34800000_QUOTATION#08670.jbxd
                                                                                    Similarity
                                                                                    • API ID: ConsoleFree
                                                                                    • String ID:
                                                                                    • API String ID: 771614528-0
                                                                                    • Opcode ID: 0c039df62e2b4bce1aad636c7344191e7ee08f782945efcae36c63c434d31b45
                                                                                    • Instruction ID: 9d63abda4c9e5313f30160c46e5c823b6b0a7ff16c273a04e3295ce04ce81cab
                                                                                    • Opcode Fuzzy Hash: 0c039df62e2b4bce1aad636c7344191e7ee08f782945efcae36c63c434d31b45
                                                                                    • Instruction Fuzzy Hash: 9431C73090C7889FD729DBA8D855BFABBF0EF16321F04426ED089C31A2DA64A445CB51
                                                                                    Function 00007FFD34910618 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2265549447.00007FFD34910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34910000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34910000_QUOTATION#08670.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: A
                                                                                    • API String ID: 0-3554254475
                                                                                    • Opcode ID: 51943353c5f858b171e5bd454eb353a53f8f1aedef8fe9b3215515ef0bf8b656
                                                                                    • Instruction ID: 73b7ad86e3f771ee221c6c9e34c02fe803d2be21c788a70ab5840b5d4cdd28be
                                                                                    • Opcode Fuzzy Hash: 51943353c5f858b171e5bd454eb353a53f8f1aedef8fe9b3215515ef0bf8b656
                                                                                    • Instruction Fuzzy Hash: A8516E3050D6898FDB56DB28CCA4AB47BE0FF5A304F1505EDD04ACB5CACE6EA846C791
                                                                                    Function 00007FFD34911630 Relevance: .4, Instructions: 390COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2265549447.00007FFD34910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34910000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34910000_QUOTATION#08670.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ca9193d99fab4d213b9735c585f53db914c748ce1d3fcc0eb6be18b5b9042939
                                                                                    • Instruction ID: 71211f6c7d06ba8dbc0184bd0df8a04a429b0851c404f4cb394b5c77736e3449
                                                                                    • Opcode Fuzzy Hash: ca9193d99fab4d213b9735c585f53db914c748ce1d3fcc0eb6be18b5b9042939
                                                                                    • Instruction Fuzzy Hash: 2FC11732A0E7C55FD756DB3888A61A47FE0EF5B210B0901FFC199CB1A7DA1D6806D362
                                                                                    Function 00007FFD34910060 Relevance: .1, Instructions: 125COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2265549447.00007FFD34910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34910000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34910000_QUOTATION#08670.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8f9e7d801a7f70a14da96c330cc48463d9bab977a704e9d912bf0756c9e8dc1f
                                                                                    • Instruction ID: 836cc368ed49fe6cef33ca694c8deb45b4af71976c4a9f2f57d2b015c1b2f5cb
                                                                                    • Opcode Fuzzy Hash: 8f9e7d801a7f70a14da96c330cc48463d9bab977a704e9d912bf0756c9e8dc1f
                                                                                    • Instruction Fuzzy Hash: 85317412B0DE8A0FEB9A9A2C28A01B477D2DF9A220B4901FFD54CC31DBDD0E9C42C350
                                                                                    Function 00007FFD349103A3 Relevance: .0, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2265549447.00007FFD34910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34910000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34910000_QUOTATION#08670.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fdf38173ad493cf452cebe8e64a646c4180de1ee3e805fea3a73e3ece80e8bd8
                                                                                    • Instruction ID: bbde1a3516a7bdce4150a101c07105408a511d247cf57d93bedff1d77fbbfce1
                                                                                    • Opcode Fuzzy Hash: fdf38173ad493cf452cebe8e64a646c4180de1ee3e805fea3a73e3ece80e8bd8
                                                                                    • Instruction Fuzzy Hash: E5F0A73271CE4C4FD79CDA1CA855139B7D2EBD913674583BFE08EC3166DA269C428304

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD3482B450 Relevance: .6, Instructions: 577COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2265041646.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34800000_QUOTATION#08670.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f8a051cafcec651b852382ec6b7180ac1cd5a40f42a24219b9e296214354b7df
                                                                                    • Instruction ID: 0e97cf7a8c846deb823598bae7f9a748da3f7c2ea828fd247819fe62d4046b76
                                                                                    • Opcode Fuzzy Hash: f8a051cafcec651b852382ec6b7180ac1cd5a40f42a24219b9e296214354b7df
                                                                                    • Instruction Fuzzy Hash: 72F11727B0C9662AF731B7ACB4A51EE7B94DF81375B080277D68CDA083D91878C683D4
                                                                                    Function 00007FFD348261CE Relevance: .4, Instructions: 430COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2265041646.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffd34800000_QUOTATION#08670.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b0211efbaee8ac1a53f229e3897a1a478a0406514ffbb453af0b0a7671c3dc7c
                                                                                    • Instruction ID: 3d35870d87b422fe9e457fc1e7256baed99f9be352ca0657e8c0d3b17159eef7
                                                                                    • Opcode Fuzzy Hash: b0211efbaee8ac1a53f229e3897a1a478a0406514ffbb453af0b0a7671c3dc7c
                                                                                    • Instruction Fuzzy Hash: 08D1C521B1CE4A4BEB58AB1894A227973D1FF99344F40427DE14ED72D3DE2CF8429781

                                                                                    Execution Graph

                                                                                    Execution Coverage:13.7%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:193
                                                                                    Total number of Limit Nodes:19
                                                                                    execution_graph 40479 dc0848 40481 dc084e 40479->40481 40480 dc091b 40481->40480 40483 dc1340 40481->40483 40484 dc133b 40483->40484 40486 dc134f 40483->40486 40484->40481 40485 dc1454 40485->40481 40486->40485 40495 dc7d68 40486->40495 40500 dc7d59 40486->40500 40505 dc7f31 40486->40505 40510 dc7ed2 40486->40510 40515 dc7e94 40486->40515 40520 dc8219 40486->40520 40525 6463a70 40486->40525 40531 6463a98 40486->40531 40497 dc7d81 40495->40497 40496 dc7fc3 40496->40486 40497->40496 40537 dc7fe0 40497->40537 40541 dc7fd1 40497->40541 40502 dc7d81 40500->40502 40501 dc7fc3 40501->40486 40502->40501 40503 dc7fe0 DeleteFileW 40502->40503 40504 dc7fd1 DeleteFileW 40502->40504 40503->40501 40504->40501 40507 dc7f36 40505->40507 40506 dc7fc3 40506->40486 40508 dc7fe0 DeleteFileW 40507->40508 40509 dc7fd1 DeleteFileW 40507->40509 40508->40506 40509->40506 40511 dc7ed7 40510->40511 40513 dc7fe0 DeleteFileW 40511->40513 40514 dc7fd1 DeleteFileW 40511->40514 40512 dc7fc3 40512->40486 40513->40512 40514->40512 40517 dc7e99 40515->40517 40516 dc7fc3 40516->40486 40518 dc7fe0 DeleteFileW 40517->40518 40519 dc7fd1 DeleteFileW 40517->40519 40518->40516 40519->40516 40521 dc8223 40520->40521 40524 dc82d9 40521->40524 40549 647fa50 40521->40549 40553 647fa60 40521->40553 40524->40486 40526 6463a75 40525->40526 40528 6463b5b 40526->40528 40557 6460e24 40526->40557 40528->40486 40529 6463b21 40562 6460e44 40529->40562 40532 6463aaa 40531->40532 40533 6460e24 GetModuleHandleW 40532->40533 40535 6463b5b 40532->40535 40534 6463b21 40533->40534 40536 6460e44 KiUserCallbackDispatcher 40534->40536 40535->40486 40536->40535 40538 dc7ff0 40537->40538 40540 dc8022 40538->40540 40545 dc7790 40538->40545 40540->40496 40543 dc7fe0 40541->40543 40542 dc8022 40542->40496 40543->40542 40544 dc7790 DeleteFileW 40543->40544 40544->40542 40546 dc8040 DeleteFileW 40545->40546 40548 dc80bf 40546->40548 40548->40540 40551 647fa75 40549->40551 40550 647fc8a 40550->40524 40551->40550 40552 647fca0 GlobalMemoryStatusEx GlobalMemoryStatusEx 40551->40552 40552->40551 40555 647fa75 40553->40555 40554 647fc8a 40554->40524 40555->40554 40556 647fca0 GlobalMemoryStatusEx GlobalMemoryStatusEx 40555->40556 40556->40555 40558 6460e2f 40557->40558 40566 6464c43 40558->40566 40572 6464c58 40558->40572 40559 6463cfa 40559->40529 40563 6460e4f 40562->40563 40565 646b8e3 40563->40565 40607 646b0dc 40563->40607 40565->40528 40567 6464c58 40566->40567 40578 64651d1 40567->40578 40568 6464d06 40569 6463a60 GetModuleHandleW 40568->40569 40570 6464d32 40568->40570 40569->40570 40573 6464c83 40572->40573 40577 64651d1 GetModuleHandleW 40573->40577 40574 6464d06 40575 6463a60 GetModuleHandleW 40574->40575 40576 6464d32 40574->40576 40575->40576 40577->40574 40579 646520d 40578->40579 40580 646528e 40579->40580 40583 6465340 40579->40583 40593 6465350 40579->40593 40584 6465350 40583->40584 40586 6465389 40584->40586 40603 6463a60 40584->40603 40587 6463a60 GetModuleHandleW 40586->40587 40592 6465554 40586->40592 40588 64654da 40587->40588 40589 6463a60 GetModuleHandleW 40588->40589 40588->40592 40590 6465528 40589->40590 40591 6463a60 GetModuleHandleW 40590->40591 40590->40592 40591->40592 40592->40580 40594 6465365 40593->40594 40595 6463a60 GetModuleHandleW 40594->40595 40596 6465389 40594->40596 40595->40596 40597 6463a60 GetModuleHandleW 40596->40597 40602 6465554 40596->40602 40598 64654da 40597->40598 40599 6463a60 GetModuleHandleW 40598->40599 40598->40602 40600 6465528 40599->40600 40601 6463a60 GetModuleHandleW 40600->40601 40600->40602 40601->40602 40602->40580 40604 6465690 GetModuleHandleW 40603->40604 40606 6465705 40604->40606 40606->40586 40608 646b8f8 KiUserCallbackDispatcher 40607->40608 40610 646b966 40608->40610 40610->40563 40460 646a0e0 40461 646a0e1 GetCurrentProcess 40460->40461 40463 646a171 40461->40463 40464 646a178 GetCurrentThread 40461->40464 40463->40464 40465 646a1b5 GetCurrentProcess 40464->40465 40466 646a1ae 40464->40466 40467 646a1eb 40465->40467 40466->40465 40468 646a213 GetCurrentThreadId 40467->40468 40469 646a244 40468->40469 40611 646dcd0 40614 646dcd6 SetWindowsHookExA 40611->40614 40613 646dd5a 40614->40613 40615 646bd70 40616 646bd7b 40615->40616 40617 646bd8b 40616->40617 40622 646b314 40616->40622 40619 646bdab 40617->40619 40620 646bdc3 OleInitialize 40617->40620 40621 646be24 40620->40621 40623 646bdc0 OleInitialize 40622->40623 40625 646be24 40623->40625 40625->40617 40626 ccd030 40627 ccd048 40626->40627 40628 ccd0a2 40627->40628 40635 6466a12 40627->40635 40642 64668ea 40627->40642 40648 646475c 40627->40648 40656 646474c 40627->40656 40660 64668f0 40627->40660 40666 646af03 40627->40666 40636 6466a1e 40635->40636 40639 6466a2a 40635->40639 40675 6464784 40636->40675 40638 6466a27 40638->40628 40640 6463a60 GetModuleHandleW 40639->40640 40641 6466af7 40639->40641 40640->40641 40643 64668f0 40642->40643 40644 646474c GetModuleHandleW 40643->40644 40645 6466922 40644->40645 40646 646475c CallWindowProcW 40645->40646 40647 6466937 40646->40647 40647->40628 40649 6464767 40648->40649 40650 646af89 40649->40650 40652 646af79 40649->40652 40687 646a0ac 40650->40687 40679 646b478 40652->40679 40683 646b4b8 40652->40683 40653 646af87 40653->40653 40657 6464757 40656->40657 40658 6464784 GetModuleHandleW 40657->40658 40659 6466a27 40658->40659 40659->40628 40661 6466916 40660->40661 40662 646474c GetModuleHandleW 40661->40662 40663 6466922 40662->40663 40664 646475c CallWindowProcW 40663->40664 40665 6466937 40664->40665 40665->40628 40668 646af0a 40666->40668 40667 646af0c 40667->40628 40668->40667 40669 646af89 40668->40669 40671 646af79 40668->40671 40670 646a0ac CallWindowProcW 40669->40670 40672 646af87 40670->40672 40673 646b478 CallWindowProcW 40671->40673 40674 646b4b8 CallWindowProcW 40671->40674 40672->40672 40673->40672 40674->40672 40676 646478f 40675->40676 40677 6463a60 GetModuleHandleW 40676->40677 40678 6466af7 40676->40678 40677->40678 40680 646b47d 40679->40680 40681 646a0ac CallWindowProcW 40680->40681 40682 646b5a2 40680->40682 40681->40680 40682->40653 40685 646b4ba 40683->40685 40684 646a0ac CallWindowProcW 40684->40685 40685->40684 40686 646b5a2 40685->40686 40686->40653 40688 646a0b7 40687->40688 40689 646b652 CallWindowProcW 40688->40689 40690 646b601 40688->40690 40689->40690 40690->40653 40470 6465688 40471 6465690 GetModuleHandleW 40470->40471 40473 6465705 40471->40473 40474 646bf08 40475 646bf62 OleGetClipboard 40474->40475 40476 646bfa2 40475->40476 40477 646a328 DuplicateHandle 40478 646a3be 40477->40478 40691 6466738 40692 64667a0 CreateWindowExW 40691->40692 40694 646685c 40692->40694

                                                                                    Executed Functions

                                                                                    Function 064766E0 Relevance: .8, Instructions: 821COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 37ae5474656e308099d3f76e5aa3038f17b7fb4bff111114f802c8ba46da51f5
                                                                                    • Instruction ID: 4b4b297c1288ed6de4825b332a300dde703775b5914eac1d8e5c0178058854de
                                                                                    • Opcode Fuzzy Hash: 37ae5474656e308099d3f76e5aa3038f17b7fb4bff111114f802c8ba46da51f5
                                                                                    • Instruction Fuzzy Hash: E1629C30B002058FDB65EB68D594AEEBBB3EF85310F55846AE406AB351DB35ED42CB90
                                                                                    Function 0647B318 Relevance: .8, Instructions: 768COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2354186587ea808852e638192935b38435d5f2970df5c49e79d29021f6e5c671
                                                                                    • Instruction ID: 5077f2f84d7324dece090713dc2361dba7cf0eefa80ce2bde9ef173008896e77
                                                                                    • Opcode Fuzzy Hash: 2354186587ea808852e638192935b38435d5f2970df5c49e79d29021f6e5c671
                                                                                    • Instruction Fuzzy Hash: 03525E30E102098FEF65DFA8D4807EEBBA2EB85310F64852BE405EB355DA35DD85CB91
                                                                                    Function 0647C268 Relevance: .6, Instructions: 648COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 04b9252f256bdb7bdd9d615bad9bc2c345b9f9d12cf20083379a19b4fea07b0a
                                                                                    • Instruction ID: 307065c8860b4dc12d8c4ca04712804eaaea6e9aebdd0a4e51702e37911c7e88
                                                                                    • Opcode Fuzzy Hash: 04b9252f256bdb7bdd9d615bad9bc2c345b9f9d12cf20083379a19b4fea07b0a
                                                                                    • Instruction Fuzzy Hash: AD326035B10205DFDB65EB68D890BEEBBB2FB88310F14852AE505EB355DB35EC418B90
                                                                                    Function 064756B0 Relevance: .6, Instructions: 600COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 34afd39323efa02372026ae9901b397dd43f5a9bec3941976f9667bebc0ca800
                                                                                    • Instruction ID: b930dc87ceec10b80ffa477bfd91e402289ea83e532eae1f4bdaf1cb21543e69
                                                                                    • Opcode Fuzzy Hash: 34afd39323efa02372026ae9901b397dd43f5a9bec3941976f9667bebc0ca800
                                                                                    • Instruction Fuzzy Hash: BB22C075F002158BDF69DB64D8846EEBBB2EB84320F25842AE819DF385CE35DC45CB90
                                                                                    Function 06473570 Relevance: .5, Instructions: 545COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bc65e0dff94c1f7b60b5f35957548cb76cdce3b7f8940da387aeb42d3efe6a96
                                                                                    • Instruction ID: 76c1f98628e40126ac50443a37627be56a9c32cfc0767467ac53601084ace5ce
                                                                                    • Opcode Fuzzy Hash: bc65e0dff94c1f7b60b5f35957548cb76cdce3b7f8940da387aeb42d3efe6a96
                                                                                    • Instruction Fuzzy Hash: 11323E31E1061ACFCB25EF75C85059DB7B2FFD9300F6196AAD409A7214EF31AA85CB90
                                                                                    Function 06477E68 Relevance: .5, Instructions: 476COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1adca8cf6dda2305a8c71ce36bbb858328f4a871e9cd096388593cba544d91e1
                                                                                    • Instruction ID: 3503ba5e7d28a1bda359d907e050036f0f48a2b2140104f42506b396c4d58f39
                                                                                    • Opcode Fuzzy Hash: 1adca8cf6dda2305a8c71ce36bbb858328f4a871e9cd096388593cba544d91e1
                                                                                    • Instruction Fuzzy Hash: 4402AD31B00216CFDB69DB64D8946EEBBA2FF84310F14856AE415EB385DB75ED42CB80
                                                                                    Function 0646A0D1 Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32 ref: 0646A15E
                                                                                    • GetCurrentThread.KERNEL32 ref: 0646A19B
                                                                                    • GetCurrentProcess.KERNEL32 ref: 0646A1D8
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0646A231
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$ProcessThread
                                                                                    • String ID:
                                                                                    • API String ID: 2063062207-0
                                                                                    • Opcode ID: 4e211595fde5f8a4918f09b9aa949dc0f1efd2b48f72f661f36c3b95ef608b5d
                                                                                    • Instruction ID: cb0807c776c9fc34656c5bf804a9a36fa11f0c9fd8840b73de0816865e3d49a2
                                                                                    • Opcode Fuzzy Hash: 4e211595fde5f8a4918f09b9aa949dc0f1efd2b48f72f661f36c3b95ef608b5d
                                                                                    • Instruction Fuzzy Hash: 705157B09007498FDB54CFAAD948BDEBFF1BF88314F24805AE409B7251DB749984CB66
                                                                                    Function 0646A0E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32 ref: 0646A15E
                                                                                    • GetCurrentThread.KERNEL32 ref: 0646A19B
                                                                                    • GetCurrentProcess.KERNEL32 ref: 0646A1D8
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0646A231
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: Current$ProcessThread
                                                                                    • String ID:
                                                                                    • API String ID: 2063062207-0
                                                                                    • Opcode ID: 526713542851aa1e7680b42e9d5229fd719f7b300e024dafacba4a8c3fd2463d
                                                                                    • Instruction ID: 00616379f9e02d8cb90543a9adf0e62b339cdfa5c71016af89b5eeb1bb922be4
                                                                                    • Opcode Fuzzy Hash: 526713542851aa1e7680b42e9d5229fd719f7b300e024dafacba4a8c3fd2463d
                                                                                    • Instruction Fuzzy Hash: 935145B09007498FDB44CFAAD948B9EBFF1AF88314F24845AE409A7351DB749984CB66
                                                                                    Function 00DCEFB8 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 571 dcefb8-dcefd3 572 dceffd-dcf013 571->572 573 dcefd5-dceffc 571->573 593 dcf015 call dcefb8 572->593 594 dcf015 call dcf0a0 572->594 576 dcf01a-dcf01c 577 dcf01e-dcf021 576->577 578 dcf022-dcf081 576->578 585 dcf087-dcf114 GlobalMemoryStatusEx 578->585 586 dcf083-dcf086 578->586 589 dcf11d-dcf145 585->589 590 dcf116-dcf11c 585->590 590->589 593->576 594->576
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4620553542.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_dc0000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ebd9a9274958b9f8ac5bdab2bca95e9f7b8a46701d9e5e1b634cccae49553d12
                                                                                    • Instruction ID: 9c6b97edd7c8778d7d1cad902687c2f868453bf3a0cc6d81b7ff807a62a58126
                                                                                    • Opcode Fuzzy Hash: ebd9a9274958b9f8ac5bdab2bca95e9f7b8a46701d9e5e1b634cccae49553d12
                                                                                    • Instruction Fuzzy Hash: A6410572D043958FCB05CFA9D8047EDBBF1AF89310F1986AAD408EB651DB749845CBA1
                                                                                    Function 0646672C Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 595 646672c-646679e 597 64667a0-64667a6 595->597 598 64667a9-64667b0 595->598 597->598 599 64667b2-64667b8 598->599 600 64667bb-64667f3 598->600 599->600 601 64667fb-646685a CreateWindowExW 600->601 602 6466863-646689b 601->602 603 646685c-6466862 601->603 607 646689d-64668a0 602->607 608 64668a8 602->608 603->602 607->608 609 64668a9 608->609 609->609
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0646684A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: d15e300cebfca79f08955d8a91ac783ddcacf5eb019529533af931e5f87a6b9e
                                                                                    • Instruction ID: 945bde0b5497ad3ca229086ad5ad2d4ed55a005214bbcc4a1a685b6b7518a7af
                                                                                    • Opcode Fuzzy Hash: d15e300cebfca79f08955d8a91ac783ddcacf5eb019529533af931e5f87a6b9e
                                                                                    • Instruction Fuzzy Hash: 4651C3B1D00349DFDB14CFAAC884ADEBFB5BF49310F25852AE819AB210D771A845CF91
                                                                                    Function 06466738 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 610 6466738-646679e 611 64667a0-64667a6 610->611 612 64667a9-64667b0 610->612 611->612 613 64667b2-64667b8 612->613 614 64667bb-646685a CreateWindowExW 612->614 613->614 616 6466863-646689b 614->616 617 646685c-6466862 614->617 621 646689d-64668a0 616->621 622 64668a8 616->622 617->616 621->622 623 64668a9 622->623 623->623
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0646684A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 99e4a6e47fae43db5e08d1258965182f5d0509ac95d81da412b9c30abac997a1
                                                                                    • Instruction ID: a959f6d90fada4191b5953cdaf57234c3a281ea805a4409d4ebd55f76ac39ff3
                                                                                    • Opcode Fuzzy Hash: 99e4a6e47fae43db5e08d1258965182f5d0509ac95d81da412b9c30abac997a1
                                                                                    • Instruction Fuzzy Hash: 7141B0B1D10349DFDF14CFAAC884ADEBBB5BF48310F25852AE819AB210D775A845CF91
                                                                                    Function 0646A0AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 624 646a0ac-646b5f4 627 646b6a4-646b6c4 call 646475c 624->627 628 646b5fa-646b5ff 624->628 635 646b6c7-646b6d4 627->635 630 646b652-646b68a CallWindowProcW 628->630 631 646b601-646b638 628->631 632 646b693-646b6a2 630->632 633 646b68c-646b692 630->633 638 646b641-646b650 631->638 639 646b63a-646b640 631->639 632->635 633->632 638->635 639->638
                                                                                    APIs
                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 0646B679
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallProcWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2714655100-0
                                                                                    • Opcode ID: 4295df056d65ed8ddc783425304b87efbe5d076f8b168f2e1b793a950606dce5
                                                                                    • Instruction ID: 25a94213e90b6530dd45ccf699eccb84a022c03cbdbbbe23d4be84679d6b0041
                                                                                    • Opcode Fuzzy Hash: 4295df056d65ed8ddc783425304b87efbe5d076f8b168f2e1b793a950606dce5
                                                                                    • Instruction Fuzzy Hash: E2414AB4900305CFDB54CF5AC848BAABBF5FF88314F24C459E519AB321D774A851CBA2
                                                                                    Function 0646BEFC Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 641 646befc-646bf58 643 646bf62-646bfa0 OleGetClipboard 641->643 644 646bfa2-646bfa8 643->644 645 646bfa9-646bff7 643->645 644->645 650 646c007 645->650 651 646bff9-646bffd 645->651 653 646c008 650->653 651->650 652 646bfff 651->652 652->650 653->653
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: Clipboard
                                                                                    • String ID:
                                                                                    • API String ID: 220874293-0
                                                                                    • Opcode ID: f2cac133139553f49e93c7712fc45068701802530d14da7d25662faafdb77451
                                                                                    • Instruction ID: 2e69da48535d74246570c79dbce9084cb2e80cdcad5f2d8b7c59efdbe1220cb1
                                                                                    • Opcode Fuzzy Hash: f2cac133139553f49e93c7712fc45068701802530d14da7d25662faafdb77451
                                                                                    • Instruction Fuzzy Hash: A53112B4D01248DFDB54CF9AC984BDEBBF5FB48704F24801AE404AB290DBB5A845CFA1
                                                                                    Function 0646BF08 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 654 646bf08-646bfa0 OleGetClipboard 656 646bfa2-646bfa8 654->656 657 646bfa9-646bff7 654->657 656->657 662 646c007 657->662 663 646bff9-646bffd 657->663 665 646c008 662->665 663->662 664 646bfff 663->664 664->662 665->665
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: Clipboard
                                                                                    • String ID:
                                                                                    • API String ID: 220874293-0
                                                                                    • Opcode ID: 4e9707c12826e1de209ea1d34406a7946280f87ea7421e3e47f2bde682572065
                                                                                    • Instruction ID: 459e5f5dfa263fc8a2373630f946922282e50ec8756a4bb5c631989265ae78c3
                                                                                    • Opcode Fuzzy Hash: 4e9707c12826e1de209ea1d34406a7946280f87ea7421e3e47f2bde682572065
                                                                                    • Instruction Fuzzy Hash: D131E0B0D01249DFDB54CF9AC984B9EBBF5FB48714F24801AE404AB390DBB5A845CFA1
                                                                                    Function 0646BD60 Relevance: 1.6, APIs: 1, Instructions: 69comCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 666 646bd60-646bd6c 667 646bdc3-646be22 OleInitialize 666->667 668 646bd6e-646bd82 666->668 669 646be24-646be2a 667->669 670 646be2b-646be48 667->670 675 646bd84-646bd86 call 646b314 668->675 676 646bd9a-646bda1 668->676 669->670 680 646bd8b-646bd94 675->680 678 646bda3-646bdaa 676->678 679 646bdab-646bdaf 676->679 678->667 680->676 681 646bd96 680->681 681->676
                                                                                    APIs
                                                                                    • OleInitialize.OLE32(00000000), ref: 0646BE15
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize
                                                                                    • String ID:
                                                                                    • API String ID: 2538663250-0
                                                                                    • Opcode ID: 3f2e0942130bc7264c2b76bdc3a4b2f400f0c73ad3e6c1ca7ca0f12415912153
                                                                                    • Instruction ID: df7e6e4d81708f230e0406f9d31b7511e7f8f65a45c90254dafca4ccaa93ed72
                                                                                    • Opcode Fuzzy Hash: 3f2e0942130bc7264c2b76bdc3a4b2f400f0c73ad3e6c1ca7ca0f12415912153
                                                                                    • Instruction Fuzzy Hash: 36217A719003888FCB61DBAAC54579BBFF4EF48718F24449AE549E7241C3B9A458CBA2
                                                                                    Function 0646A320 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 682 646a320-646a327 683 646a328-646a3bc DuplicateHandle 682->683 684 646a3c5-646a3e2 683->684 685 646a3be-646a3c4 683->685 685->684
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0646A3AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 6f6bb2f24ccc8fb9d04c0d3c6febb47097e3b24fa54eba650dc3994a59d7619d
                                                                                    • Instruction ID: 85c1508b724c6811b110c165f6dc8d9b29ecf179ddde3fc46e0f99095caef053
                                                                                    • Opcode Fuzzy Hash: 6f6bb2f24ccc8fb9d04c0d3c6febb47097e3b24fa54eba650dc3994a59d7619d
                                                                                    • Instruction Fuzzy Hash: 912105B5900248DFDB10CFAAD984ADEBFF4FB48310F14801AE915A3310D374A954CFA1
                                                                                    Function 0646A328 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 688 646a328-646a3bc DuplicateHandle 689 646a3c5-646a3e2 688->689 690 646a3be-646a3c4 688->690 690->689
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0646A3AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 77b2a358971f617fad3c9372c4490def179d9d5b1fc18fd74783e0a19657d471
                                                                                    • Instruction ID: 9e79066709955f06f65be998f90290f800d76f0cb9f4a79f0adaebd2da385044
                                                                                    • Opcode Fuzzy Hash: 77b2a358971f617fad3c9372c4490def179d9d5b1fc18fd74783e0a19657d471
                                                                                    • Instruction Fuzzy Hash: B121E3B5900249DFDB10CF9AD984ADEBBF4FB48320F14841AE918A3310D374A954CFA1
                                                                                    Function 0646DCCB Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 702 646dccb-646dcce 703 646dcd6-646dd1a 702->703 704 646dcd0-646dcd5 702->704 706 646dd26-646dd58 SetWindowsHookExA 703->706 707 646dd1c-646dd24 703->707 704->703 708 646dd61-646dd81 706->708 709 646dd5a-646dd60 706->709 707->706 709->708
                                                                                    APIs
                                                                                    • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0646DD4B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: HookWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2559412058-0
                                                                                    • Opcode ID: 2b5eef1987fe889e382223a1cbd1cf7f6993c16be7dcecae0ea3a8c303c84756
                                                                                    • Instruction ID: b67fcc638dfba3fac13b82d424ed36e13edcbedb1cf39635d8f3a26c870ee733
                                                                                    • Opcode Fuzzy Hash: 2b5eef1987fe889e382223a1cbd1cf7f6993c16be7dcecae0ea3a8c303c84756
                                                                                    • Instruction Fuzzy Hash: EB2134B1D00249DFDB54DF9AC844BDEBBF4BF88310F10841AE419A7250C774A944CFA1
                                                                                    Function 00DC8038 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 693 dc8038-dc808a 696 dc808c-dc808f 693->696 697 dc8092-dc80bd DeleteFileW 693->697 696->697 698 dc80bf-dc80c5 697->698 699 dc80c6-dc80ee 697->699 698->699
                                                                                    APIs
                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 00DC80B0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4620553542.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_dc0000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteFile
                                                                                    • String ID:
                                                                                    • API String ID: 4033686569-0
                                                                                    • Opcode ID: 4ad79e49939eb67408b8a5593b085acd2249882d27a4b0153647417b613226d6
                                                                                    • Instruction ID: 91db3b1910a845803b6800c11c28fbb338ca43d2585f833b39192a729cd0be3e
                                                                                    • Opcode Fuzzy Hash: 4ad79e49939eb67408b8a5593b085acd2249882d27a4b0153647417b613226d6
                                                                                    • Instruction Fuzzy Hash: 332147B2C0061ADFCB10CF9AC440B9EFBB4FF48720F148229D918A7240D778A944CFA1
                                                                                    Function 00DC7790 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 713 dc7790-dc808a 716 dc808c-dc808f 713->716 717 dc8092-dc80bd DeleteFileW 713->717 716->717 718 dc80bf-dc80c5 717->718 719 dc80c6-dc80ee 717->719 718->719
                                                                                    APIs
                                                                                    • DeleteFileW.KERNEL32(00000000), ref: 00DC80B0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4620553542.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_dc0000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteFile
                                                                                    • String ID:
                                                                                    • API String ID: 4033686569-0
                                                                                    • Opcode ID: d7d1ca30c3f73962edfa7b41d8e5159ad4ee81b545da5419a14636d12324bae3
                                                                                    • Instruction ID: af6e719da8b7e2fe826aed32f8865992f1c3d4eea58d494f783c52ff3e0811af
                                                                                    • Opcode Fuzzy Hash: d7d1ca30c3f73962edfa7b41d8e5159ad4ee81b545da5419a14636d12324bae3
                                                                                    • Instruction Fuzzy Hash: B72115B1C0065A9BDB24CF9AC544BAEFBB4BB48720F148129D918B7240D778A954CFA5
                                                                                    Function 0646DCD0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 722 646dcd0-646dd1a 725 646dd26-646dd58 SetWindowsHookExA 722->725 726 646dd1c-646dd24 722->726 727 646dd61-646dd81 725->727 728 646dd5a-646dd60 725->728 726->725 728->727
                                                                                    APIs
                                                                                    • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0646DD4B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: HookWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2559412058-0
                                                                                    • Opcode ID: 263908f99f31c915bcdfdb8fb6c6807caafd5229f654a2d5aadbd0ab86a36b9e
                                                                                    • Instruction ID: f6616b3419cd5aba4dd6b8911a61899b7ac8e90b2b9ba500dbf7383321d52bca
                                                                                    • Opcode Fuzzy Hash: 263908f99f31c915bcdfdb8fb6c6807caafd5229f654a2d5aadbd0ab86a36b9e
                                                                                    • Instruction Fuzzy Hash: 242102B1D00249CFDB54DF9AC844BAEBBF5AF88320F10842AE419A7250C775A944CFA1
                                                                                    Function 00DCF0A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00DCF107
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4620553542.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_dc0000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: GlobalMemoryStatus
                                                                                    • String ID:
                                                                                    • API String ID: 1890195054-0
                                                                                    • Opcode ID: 718d0f84ba8961f60249954f36c49ef7c933daf86f992e61805036f57309cee4
                                                                                    • Instruction ID: 56cc709d0ebaef9225d150617c763914c7090f55b186e5c77008e8bb2aa68295
                                                                                    • Opcode Fuzzy Hash: 718d0f84ba8961f60249954f36c49ef7c933daf86f992e61805036f57309cee4
                                                                                    • Instruction Fuzzy Hash: 301103B1C0065ADBCB10CF9AC444BDEFBB4AF48720F14812AD918A7240D378A954CFA1
                                                                                    Function 06465688 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 064656F6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: 81b4a2693046d71f3e885633d5f3e5b759a55fc10970f868b2c230df63a39ab0
                                                                                    • Instruction ID: be0da4e8af7d079b82d1348c1db903df004c9912d8c65c81cf51662a42b18e2d
                                                                                    • Opcode Fuzzy Hash: 81b4a2693046d71f3e885633d5f3e5b759a55fc10970f868b2c230df63a39ab0
                                                                                    • Instruction Fuzzy Hash: 9311F0B5C007498FCB14CF9AD844ADEFBF5EB89224F10845AE829A7210D375A545CFA2
                                                                                    Function 06463A60 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 064656F6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: 156204a11c29f4624a48ced6da6b9b4264152d0ae33440943b72795ae3e50820
                                                                                    • Instruction ID: e094e1965746fa8c75e4f04ad1f608ae37e4a4aedeaa704a9f8cdd8b2ef55f4b
                                                                                    • Opcode Fuzzy Hash: 156204a11c29f4624a48ced6da6b9b4264152d0ae33440943b72795ae3e50820
                                                                                    • Instruction Fuzzy Hash: 301102B5C00749CFDB14DF9AC444B9EFBF4EB88224F10845AE829B7210D379A545CFA5
                                                                                    Function 0646BDB9 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OleInitialize.OLE32(00000000), ref: 0646BE15
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize
                                                                                    • String ID:
                                                                                    • API String ID: 2538663250-0
                                                                                    • Opcode ID: bf98cb11ca9777c3b32cda42678e4181c16e2d7ce7fa06c3e51a29a44947cc30
                                                                                    • Instruction ID: fc4e33fe4bd9ce9baffad3007b1dbe80501aad07ff2e747fa64aaca8e8a8a0f7
                                                                                    • Opcode Fuzzy Hash: bf98cb11ca9777c3b32cda42678e4181c16e2d7ce7fa06c3e51a29a44947cc30
                                                                                    • Instruction Fuzzy Hash: F91122B5800249CFCB20CFAAD844BCEFFF4EB48224F24845AE518A7200C375A944CFA5
                                                                                    Function 0646B8F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0646B8CD), ref: 0646B957
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: dac2efd20afec77b005d5ab89be26d1044849c1370d6fe8b40d100aa65b577f6
                                                                                    • Instruction ID: 998a0ec418583f41f4071dbded45686263994b20d81a119b58a08639efef6657
                                                                                    • Opcode Fuzzy Hash: dac2efd20afec77b005d5ab89be26d1044849c1370d6fe8b40d100aa65b577f6
                                                                                    • Instruction Fuzzy Hash: D61103B5800249CFDB10CF9AD944BDEFBF4EB49724F20841AE529A7350C775A944CFA5
                                                                                    Function 0646B314 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OleInitialize.OLE32(00000000), ref: 0646BE15
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: Initialize
                                                                                    • String ID:
                                                                                    • API String ID: 2538663250-0
                                                                                    • Opcode ID: 52c3dc318ccdbf3447590f88844c819eecda3c1a5c6a54e8e228b0ca4231587b
                                                                                    • Instruction ID: 01908284aabb8b61714f08a4b6588ae9c1c4593eb06812842dd91f0a239e3187
                                                                                    • Opcode Fuzzy Hash: 52c3dc318ccdbf3447590f88844c819eecda3c1a5c6a54e8e228b0ca4231587b
                                                                                    • Instruction Fuzzy Hash: DD1103B1800349CFDB60DF9AC544B9EBBF4EB48324F20845AE519A7300D375A954CFA5
                                                                                    Function 0646B0DC Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0646B8CD), ref: 0646B957
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627122360.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6460000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 7c82d96c3c71bc0c0ac8d7dff2453c257b89176da4ee4a04730c5af422873e3e
                                                                                    • Instruction ID: 1fc5b75d29747b8c068d34e2fc8b62f99ae6f51ee5c26a89ae76efa4536331c9
                                                                                    • Opcode Fuzzy Hash: 7c82d96c3c71bc0c0ac8d7dff2453c257b89176da4ee4a04730c5af422873e3e
                                                                                    • Instruction Fuzzy Hash: 631122B1800349CFDB50CF9AC444B9EBBF4EB48724F20845AE929A7210D7B4A944CFA5
                                                                                    Function 0647D038 Relevance: .8, Instructions: 800COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fa12df8f77641dcbe14633d6f411c90cbfbd75a6b2431de91613852aa8b77260
                                                                                    • Instruction ID: 415262769b3410577458721fdb9baa27af368d1cd17e4400f0c15b3353eb0d8b
                                                                                    • Opcode Fuzzy Hash: fa12df8f77641dcbe14633d6f411c90cbfbd75a6b2431de91613852aa8b77260
                                                                                    • Instruction Fuzzy Hash: EB624C30A10206CFDB59EB68D580A9EBBB2FF84310F649A69D005DB359DF75ED46CB80
                                                                                    Function 0647ADB0 Relevance: .4, Instructions: 392COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a8546f136df2f701d5b061e4a52438c87efacbe6c7149177a2d583e3e9699325
                                                                                    • Instruction ID: 6cc46702ea525cc75b4393754ec23e6c0542f6bd7be5f006b2c91f4355fe9cd0
                                                                                    • Opcode Fuzzy Hash: a8546f136df2f701d5b061e4a52438c87efacbe6c7149177a2d583e3e9699325
                                                                                    • Instruction Fuzzy Hash: D7E16E30E1020ACFDB69DF69D4946EEBBB2EF85300F24852AE405EB345DB759D46CB90
                                                                                    Function 0647B307 Relevance: .3, Instructions: 299COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e9c2a39acc0d55cf3e18f8cc36d76e6fd17a7e2bdcd1c83e63af6fc13a992b4a
                                                                                    • Instruction ID: b4c4828cc19afc097e62817030e49dde3581a0f97fa49183f6e2f3fef9cac95f
                                                                                    • Opcode Fuzzy Hash: e9c2a39acc0d55cf3e18f8cc36d76e6fd17a7e2bdcd1c83e63af6fc13a992b4a
                                                                                    • Instruction Fuzzy Hash: B8A19530F101099BEF65DEACD8907EFBBA6EB89310F608426E505D7392CE35DD819792
                                                                                    Function 0647B72A Relevance: .3, Instructions: 267COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a547ccb28d0d835173608be17d0ab3a99d9d7c7d5f4d5eaa233f006b29964635
                                                                                    • Instruction ID: e6c68447084ee123afb4f8feeabb93538b80c1b17923097afe530b30aa4d4776
                                                                                    • Opcode Fuzzy Hash: a547ccb28d0d835173608be17d0ab3a99d9d7c7d5f4d5eaa233f006b29964635
                                                                                    • Instruction Fuzzy Hash: B8A10870E1020A8BEFA6DE58C4807EEB7B1EB89310F648927E415EB355DB35DC85CB91
                                                                                    Function 06479238 Relevance: .2, Instructions: 230COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 940220ff0de5ae9ff08ce24700dd89537ae091d57c90ba99b080a81effb88fa9
                                                                                    • Instruction ID: b337f1227b4b1bf16ae2f3786eb69f9859ca1fe64c5b2f31be5137f74e51a3f6
                                                                                    • Opcode Fuzzy Hash: 940220ff0de5ae9ff08ce24700dd89537ae091d57c90ba99b080a81effb88fa9
                                                                                    • Instruction Fuzzy Hash: A7912130F1021A8FDB69EB75D9507AE77F2EFC4200F10856AD80AEB345EE719D468B91
                                                                                    Function 064762E0 Relevance: .2, Instructions: 229COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 01e9584f0c594b2c043ce90aaaa8f85c839bb4a52ae9c3e6b7172a5db02fe40e
                                                                                    • Instruction ID: 0824184c29514b80c35a09956f55d543557bc30d54b655e3166a56752f1e2152
                                                                                    • Opcode Fuzzy Hash: 01e9584f0c594b2c043ce90aaaa8f85c839bb4a52ae9c3e6b7172a5db02fe40e
                                                                                    • Instruction Fuzzy Hash: 0F61E271F104114FDF559A6DC844A9FBADBAFC4220F25403AD80ADB3A4DEB9ED028795
                                                                                    Function 064743A8 Relevance: .2, Instructions: 226COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b17d0f30a6a304d3f73e8d09dfcdc6e3aab9b9b1ba2964a14f6f3b4c633eb500
                                                                                    • Instruction ID: 01b059c1949a6a94b4414953fe4c702dfe8965a693558b3a513e227e6c01074f
                                                                                    • Opcode Fuzzy Hash: b17d0f30a6a304d3f73e8d09dfcdc6e3aab9b9b1ba2964a14f6f3b4c633eb500
                                                                                    • Instruction Fuzzy Hash: E2817F34B002058FDF59DFA8D4547AEBBF2AF88310F10852AD40AEB785EB75DD428B91
                                                                                    Function 064743B8 Relevance: .2, Instructions: 218COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b08dc3b0f18e3f7d2e4fff9258f2524d6fcf64107ee9a7292adf321e758ac41b
                                                                                    • Instruction ID: 9b36cc3d8dc31027321924515c10bfb77b4f775fbf7a995e552634022f4b0ba1
                                                                                    • Opcode Fuzzy Hash: b08dc3b0f18e3f7d2e4fff9258f2524d6fcf64107ee9a7292adf321e758ac41b
                                                                                    • Instruction Fuzzy Hash: 19815D34B002098FDF59DFA8D4547AEBBF2AF88310F10852AD40AEB385DB75DD468B91
                                                                                    Function 064746C8 Relevance: .2, Instructions: 217COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ca094ad86026cca5125c41b48cb3b609e385321b1d60caa2fa3c14dbb503d32a
                                                                                    • Instruction ID: ea9193ebc4111f5fd3d12e22c2218cd0c381ea9373726a5848d0729655a8c771
                                                                                    • Opcode Fuzzy Hash: ca094ad86026cca5125c41b48cb3b609e385321b1d60caa2fa3c14dbb503d32a
                                                                                    • Instruction Fuzzy Hash: 90914C30E10619CBDB51DF68C890BDDB7B1FF89310F20869AD549AB355DB70AA85CB90
                                                                                    Function 064746E0 Relevance: .2, Instructions: 210COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e602951e59ec2d71b6aa3d6a96de38116dd41a4080ded9dc4fcc1a07059d4ee5
                                                                                    • Instruction ID: f127e163d5180ea4fa051afdb27a656cfe8c143ac05d9e6dc97fa5b24ee77ecc
                                                                                    • Opcode Fuzzy Hash: e602951e59ec2d71b6aa3d6a96de38116dd41a4080ded9dc4fcc1a07059d4ee5
                                                                                    • Instruction Fuzzy Hash: 84913C30E10619CBDF60DF68C890BDDB7B1FF89310F20859AD549AB345DB71AA858F90
                                                                                    Function 0647F010 Relevance: .2, Instructions: 205COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 11f1fa954847f23f745b7a4b4b856e328d0e999b0a499b0b591d498e8978fe27
                                                                                    • Instruction ID: 9b77d46e5b169a7bf27b3aa6adfe35a942e803ed1b6045059de5c91c998ec6bb
                                                                                    • Opcode Fuzzy Hash: 11f1fa954847f23f745b7a4b4b856e328d0e999b0a499b0b591d498e8978fe27
                                                                                    • Instruction Fuzzy Hash: AB715B30A002488FDB94DBA9C980ADEBBF6FF88300F64852AD405EB355DB31ED46CB50
                                                                                    Function 0647F020 Relevance: .2, Instructions: 201COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 77ed12131e8f8a49cf856fd4e08ffaf6f1fbd7453e1523cee0e08ae8425790cc
                                                                                    • Instruction ID: bb7c5e9effba4e757c9e1838a1dc2343d423145777ea71be6e0eea9883577497
                                                                                    • Opcode Fuzzy Hash: 77ed12131e8f8a49cf856fd4e08ffaf6f1fbd7453e1523cee0e08ae8425790cc
                                                                                    • Instruction Fuzzy Hash: 7F715A30A002499FDB94DBA9C980ADEBBF6FF88300F14852AE405EB355DB31ED46CB50
                                                                                    Function 06474C78 Relevance: .2, Instructions: 186COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 943ec5c899ac2ea101e597a4e5d303cd9f212b56b4ab6aff430d29ed9b577abd
                                                                                    • Instruction ID: 1a1b5b51e99a68fc81e639381a292fb08b4814d629b46773d3027289d73e1cb9
                                                                                    • Opcode Fuzzy Hash: 943ec5c899ac2ea101e597a4e5d303cd9f212b56b4ab6aff430d29ed9b577abd
                                                                                    • Instruction Fuzzy Hash: 46617E30F002199FEB559BA8C8547EEBBF6EF88310F20842AE109EB395DF755D459B90
                                                                                    Function 0647FCA0 Relevance: .2, Instructions: 179COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ff928f34492107f02d5350836d7b46454c42adebc3c3095935b44f44961e2c97
                                                                                    • Instruction ID: 71378875f9aff5f05f38eeb90b9a1a24eead5113a4e6275f6539fc8412c52a0c
                                                                                    • Opcode Fuzzy Hash: ff928f34492107f02d5350836d7b46454c42adebc3c3095935b44f44961e2c97
                                                                                    • Instruction Fuzzy Hash: 4451D031E01109DFDB94EBB8E8447EEBBB2EF84311F20886AE506D7351DB359849CB90
                                                                                    Function 0647FA50 Relevance: .2, Instructions: 173COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b9b46be6d0201c1a7f36ab678525b54b4bc9841458210eae53a02d0f8d6ecd72
                                                                                    • Instruction ID: 2621b8ff8f9378407061c2af7da5133eab434cc4e36a7887ff5f24ecac91fe80
                                                                                    • Opcode Fuzzy Hash: b9b46be6d0201c1a7f36ab678525b54b4bc9841458210eae53a02d0f8d6ecd72
                                                                                    • Instruction Fuzzy Hash: 77519530F201159BEFE5A6BCD854BAF3A5AE7C9310F20452AE50AC77D6CE79CC4543A1
                                                                                    Function 0647FA60 Relevance: .2, Instructions: 163COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fa81c90b0fce9744707087903c7e697d427b863372977a831c7d0a475e59592b
                                                                                    • Instruction ID: 0883bed71359bf908d1e5c94748d131c8fc93166c400bcf9453e8c19a56c775c
                                                                                    • Opcode Fuzzy Hash: fa81c90b0fce9744707087903c7e697d427b863372977a831c7d0a475e59592b
                                                                                    • Instruction Fuzzy Hash: 73518230F201049BEFE5A6B8D854BAF3A5AE7C9310F20452AE50AC73D6CE79DC4543A1
                                                                                    Function 06479228 Relevance: .2, Instructions: 161COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cab44a5a1695095c4e81d4c14f747ded66d64769b1f45159c631d09469d2551e
                                                                                    • Instruction ID: d98d1a4f14a7fabf8d300ea2bff7785585b2cc03beea33be9458b23541ffc5ac
                                                                                    • Opcode Fuzzy Hash: cab44a5a1695095c4e81d4c14f747ded66d64769b1f45159c631d09469d2551e
                                                                                    • Instruction Fuzzy Hash: 85513F34B011058FEB65EB74D950BAE77F6AF98210F10886AD81AEB385DE319D428B91
                                                                                    Function 06474C69 Relevance: .1, Instructions: 143COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d59d735de44b76db611047656a6d91be7e346bbb61024ec4fc46d11c3b1b8c17
                                                                                    • Instruction ID: 2bf605063bb584807cf109c0701d791d68df48b1e30e2844501dc543b33b9d52
                                                                                    • Opcode Fuzzy Hash: d59d735de44b76db611047656a6d91be7e346bbb61024ec4fc46d11c3b1b8c17
                                                                                    • Instruction Fuzzy Hash: 04518130F102499FEB559BA5C814BEEBBF6FF88310F20852AE105AB395DE758C059B90
                                                                                    Function 06475530 Relevance: .1, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f451a0617e9449a1c3e25bcc203fc92772e814c40a92600f277be500821ed6d1
                                                                                    • Instruction ID: 4ca6c45847a38ccc7c6632f7061d00b5ffc3242555a6a89d1300321d1bdc692d
                                                                                    • Opcode Fuzzy Hash: f451a0617e9449a1c3e25bcc203fc92772e814c40a92600f277be500821ed6d1
                                                                                    • Instruction Fuzzy Hash: 8A414171E006099FDF75CE99D880AAFF7F6EB94310F10492AD11ADB654DB30E9458B90
                                                                                    Function 0647DBC0 Relevance: .1, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a6c301a6be6fcd3b9aaa88bcf8e2af9915014a02fcae04affc7b887e92c665ce
                                                                                    • Instruction ID: a47b0449e0f4d66fd08f8c63451addefdf63af76836c9118dbcd0a664a29392d
                                                                                    • Opcode Fuzzy Hash: a6c301a6be6fcd3b9aaa88bcf8e2af9915014a02fcae04affc7b887e92c665ce
                                                                                    • Instruction Fuzzy Hash: 3D415C30E20609DFDB559FA5D8857AEBBB2FF85300F24452AD406E7340DBB1A946CB90
                                                                                    Function 0647DBAD Relevance: .1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f6aff653a4e4d2bcf65c1fe1b33ec2ac91d1fe513b8bd98e8512d0fe5f7f9afe
                                                                                    • Instruction ID: aba984f9b1302a7bb2e57bda272c289a8189a718ead173ead1825071da3ac8a5
                                                                                    • Opcode Fuzzy Hash: f6aff653a4e4d2bcf65c1fe1b33ec2ac91d1fe513b8bd98e8512d0fe5f7f9afe
                                                                                    • Instruction Fuzzy Hash: 57414C70E102459FDB56DFB5D9817EEBBB2EF85300F24492AE406E7340EB71A946CB90
                                                                                    Function 064721C5 Relevance: .1, Instructions: 112COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d637eba8cde564996cdb7e2e113e0bbdbdb37938a4fafbec29a4e011a66169ee
                                                                                    • Instruction ID: 4bc6be7927467db009dfd2b180313ac45d3187b468e78b9f48b6ad22512c52b1
                                                                                    • Opcode Fuzzy Hash: d637eba8cde564996cdb7e2e113e0bbdbdb37938a4fafbec29a4e011a66169ee
                                                                                    • Instruction Fuzzy Hash: 8931ED30B002068FDB5AAB74D9547EF7BA2FF89210F60492AC402DB391DE75DE02CB90
                                                                                    Function 064756A0 Relevance: .1, Instructions: 109COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7d2856ddef3dd54b91a6c1add2cc78f5616d947737ee3ea41267109801521ff7
                                                                                    • Instruction ID: c3dc2151aefb5879d57c6a06e1e5cb0b9d485679e2776d433b6b92046224b0b6
                                                                                    • Opcode Fuzzy Hash: 7d2856ddef3dd54b91a6c1add2cc78f5616d947737ee3ea41267109801521ff7
                                                                                    • Instruction Fuzzy Hash: 9831B070E102058FDF6A9A68C5806EFBBB1EB45320F668927E459DF341CA34DD41CB91
                                                                                    Function 064721D8 Relevance: .1, Instructions: 105COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6235ca5873668d362950f6b69e30d763f5aee28b4924abb667e7b5f0eedbdb5e
                                                                                    • Instruction ID: b379d832b7c042ebf79da9a6a8549b0144ee290dde7ecf94fe45798cf638fc91
                                                                                    • Opcode Fuzzy Hash: 6235ca5873668d362950f6b69e30d763f5aee28b4924abb667e7b5f0eedbdb5e
                                                                                    • Instruction Fuzzy Hash: B431CB30B002059FDB5AAB78D8147AF7BA2BFC9610F24492ED406DB381DE71DE02CB90
                                                                                    Function 0647DA61 Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0b3bca9eca098938a149e3a6b119d212038d73ea307cbe91aa7554624baceb70
                                                                                    • Instruction ID: 32fcb8e1bde28ff5bb2d7e43d3fd76c47f4c992bd8684393ea9e05a40bfe2ee9
                                                                                    • Opcode Fuzzy Hash: 0b3bca9eca098938a149e3a6b119d212038d73ea307cbe91aa7554624baceb70
                                                                                    • Instruction Fuzzy Hash: 22317230E2060ADBDB59DF64D4806DEBBB2FF85314F14892AE405EB344DBB0A9468B80
                                                                                    Function 06472089 Relevance: .1, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5f39dda096899cfc40b455fe9878e4f9337e52ed4211c741703fc5902c033276
                                                                                    • Instruction ID: 277f8be1efbe8fa61566e4190fa8a6efebdc5fedabbe62f550920be6d32c2de9
                                                                                    • Opcode Fuzzy Hash: 5f39dda096899cfc40b455fe9878e4f9337e52ed4211c741703fc5902c033276
                                                                                    • Instruction Fuzzy Hash: E7317E31E102459BDB59CF64D8956DFBBB6FF89300F10852AE906E7341EBB1AD42CB90
                                                                                    Function 06473508 Relevance: .1, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 562025dde620ddff2c25959cdb04eee04dff518873f01ffee6689f4f03cf827c
                                                                                    • Instruction ID: 695ca7ea95a5b5782b62a6ab13739afaffc42af5e972a39d78e16c920c92de2d
                                                                                    • Opcode Fuzzy Hash: 562025dde620ddff2c25959cdb04eee04dff518873f01ffee6689f4f03cf827c
                                                                                    • Instruction Fuzzy Hash: 5731E4329083548FDB46EF78D8522DEBFB1EF86210F1489AAC156EB341EA35C945CB91
                                                                                    Function 06476560 Relevance: .1, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a9f4cfd576ee5755a63d80984145040efb41e85dc388d60a5b3a5ebc04ac5de1
                                                                                    • Instruction ID: a65115aecfd9ec514c94644bd195015c332114b60d19c43fecbd0b28e4b96215
                                                                                    • Opcode Fuzzy Hash: a9f4cfd576ee5755a63d80984145040efb41e85dc388d60a5b3a5ebc04ac5de1
                                                                                    • Instruction Fuzzy Hash: B7315AB1E016199FCB40CFA9D9817DEFBB5BF49310F11856AE908E7241E374AA50CBA0
                                                                                    Function 06472098 Relevance: .1, Instructions: 91COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 18c182d7acabdc9528abe785facb41bbf337a92ac976b8fa95ee575d1493bb79
                                                                                    • Instruction ID: 6698583c8425606263038cd90349e34ab8f45df0ea30e1eb1ee49d8b77cc7600
                                                                                    • Opcode Fuzzy Hash: 18c182d7acabdc9528abe785facb41bbf337a92ac976b8fa95ee575d1493bb79
                                                                                    • Instruction Fuzzy Hash: 83314D31E106459BDB59DF64D8946DFBBB2FF89300F10851AE906E7340EBB1AD42CB50
                                                                                    Function 06473FB0 Relevance: .1, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3a77b20bc4ba88011b330132cb50c90e39a77571a50b5fe19fce7638b9152fd1
                                                                                    • Instruction ID: ca2d5aa85dc96ec5ee4f73270ec779f6e3791eb6a9712b5afa2fb88506142007
                                                                                    • Opcode Fuzzy Hash: 3a77b20bc4ba88011b330132cb50c90e39a77571a50b5fe19fce7638b9152fd1
                                                                                    • Instruction Fuzzy Hash: B7216876F11206DFDB12CFB8D881BEEBBF5AB58210F158026E909E7745E736D9018B90
                                                                                    Function 06473FC0 Relevance: .1, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a1a31b394d463c7022f1f35ce8dba22db5bf57c897d7dcfa652f8c04525d648e
                                                                                    • Instruction ID: 16ab218d90ff698fed8a994d5097b95e40c7975f25f8f095c4589b2e720d82dd
                                                                                    • Opcode Fuzzy Hash: a1a31b394d463c7022f1f35ce8dba22db5bf57c897d7dcfa652f8c04525d648e
                                                                                    • Instruction Fuzzy Hash: F9215A75E102169FDB61DF69D880AAEBBF5BB58250F108026E909E7345E732D901CB90
                                                                                    Function 00CCD030 Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4618312353.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_ccd000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e71e232b27502a9a5dff602f2a2bff60a7b5db4c26df2930c68dce796b3a38a9
                                                                                    • Instruction ID: b5c3e83412d077f8281046f2a09e7371c404c3036a85b6b5f848a5b1e1fbe3b8
                                                                                    • Opcode Fuzzy Hash: e71e232b27502a9a5dff602f2a2bff60a7b5db4c26df2930c68dce796b3a38a9
                                                                                    • Instruction Fuzzy Hash: EF21D075504244EFDB14DF18D9C0F26BBA5EB84314F24C5BDD90A4A292C77AD846CA62
                                                                                    Function 00CCD118 Relevance: .1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4618312353.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_ccd000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 38933c2fe4d7d001fd435a9d488a218971be70068f09947ae775b92c26cee2dc
                                                                                    • Instruction ID: 9f94002ee94e471a5747aa621ad09d82feeac3dd9b7373bc296fd66a01ebb600
                                                                                    • Opcode Fuzzy Hash: 38933c2fe4d7d001fd435a9d488a218971be70068f09947ae775b92c26cee2dc
                                                                                    • Instruction Fuzzy Hash: 282104B1604344EFDB04DF14D9C0F2ABBA5FB84328F28C57DE90A4B251C336D846CA61
                                                                                    Function 00CCD005 Relevance: .1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4618312353.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_ccd000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e6434390368b853b5538915b0d6ed45383c75e79b8c09a526c8375d8df0b2aaf
                                                                                    • Instruction ID: 57059f09b076a4d7725754841adcfff860fd07cf28f5c5f3851b9a7c8d61ee4e
                                                                                    • Opcode Fuzzy Hash: e6434390368b853b5538915b0d6ed45383c75e79b8c09a526c8375d8df0b2aaf
                                                                                    • Instruction Fuzzy Hash: 19214B7150D3C09FC703CB24D990B11BF71AB46214F2985EBD8898F2A7C23A980ACB62
                                                                                    Function 06476E00 Relevance: .1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0243d6809120633a023591cb7f2bc6acd185a45ee9908d39ad6c1477d7e116e9
                                                                                    • Instruction ID: a96d8ab59884e9c7591e6525688bcf577fffee34a36683c61cb1841799737c12
                                                                                    • Opcode Fuzzy Hash: 0243d6809120633a023591cb7f2bc6acd185a45ee9908d39ad6c1477d7e116e9
                                                                                    • Instruction Fuzzy Hash: F721AF30B101199FDF58EA69E9507EEBBB7EF84310F55842AE405E7340DB31AD418B94
                                                                                    Function 06474308 Relevance: .1, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6e45f37a40bef28178393869b6015f5456809c9cae770551a63f7ee7a9e91d47
                                                                                    • Instruction ID: 16e7b725d3212c31d3f65b458d326528dfaba17a9806e6dbddfe5bb468a2755a
                                                                                    • Opcode Fuzzy Hash: 6e45f37a40bef28178393869b6015f5456809c9cae770551a63f7ee7a9e91d47
                                                                                    • Instruction Fuzzy Hash: 3B01D435B102104FDBA6967CA8157FFBBDADBC5611F10892BE10EC7B45ED2ADC024391
                                                                                    Function 0647A3EA Relevance: .1, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c3f6b662483138678b8d5818ef211d69908232d82252bbbb8ffa03ccd839ef99
                                                                                    • Instruction ID: 58f7ccbc9770d83f097d98106d8e5ab62d8dc287063c519e10e5223fbe8e234a
                                                                                    • Opcode Fuzzy Hash: c3f6b662483138678b8d5818ef211d69908232d82252bbbb8ffa03ccd839ef99
                                                                                    • Instruction Fuzzy Hash: 3601D2317141204FDB66A638A85579FBBD9DB96720F00842AF14ACB342DE16DC839781
                                                                                    Function 064740D0 Relevance: .1, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dc7472645e93e22ed7fc2d9c9132db8dff75053fe8ca939f2147f3302214f6dc
                                                                                    • Instruction ID: 8436ac1ff62311fc55d8c0785688bc5ee125c08000a2f75ee4186ca4648ec581
                                                                                    • Opcode Fuzzy Hash: dc7472645e93e22ed7fc2d9c9132db8dff75053fe8ca939f2147f3302214f6dc
                                                                                    • Instruction Fuzzy Hash: 69118236B151258FDB55EA68C8146EF77FAEBC9220F018076D506E7340DE659C0287D0
                                                                                    Function 064740BF Relevance: .1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2199d4fa2dd96dadfc349bd8719f57da7880102e9e1562bb96b0fb1371464633
                                                                                    • Instruction ID: 6ed8845693f4adc0aecb72f1fe6d5263e4d191d092cf8a842cc67d9de0afa36b
                                                                                    • Opcode Fuzzy Hash: 2199d4fa2dd96dadfc349bd8719f57da7880102e9e1562bb96b0fb1371464633
                                                                                    • Instruction Fuzzy Hash: A201F536F061214BEF65AA78CC143EF3BAF9BC9220F018176D406E7344DA228C0643E1
                                                                                    Function 0647F28F Relevance: .1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 26d6b08d9bde2d65b7fd1f30843fb22acc3ac285c477e42482b89d66fb3f47ad
                                                                                    • Instruction ID: 9f23242d5f60f4c4f7bdc420c76d22687304d7074eddce4e57586cbe22dcabec
                                                                                    • Opcode Fuzzy Hash: 26d6b08d9bde2d65b7fd1f30843fb22acc3ac285c477e42482b89d66fb3f47ad
                                                                                    • Instruction Fuzzy Hash: 6001F23AB145514FDBAA957CA4617EF7BD6DBC9220F10482BF90ACB341EE25CD064391
                                                                                    Function 0647315C Relevance: .1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a624d0e2c9ff2794748e697e4b99d5c3919109395fe673c6d3cbd17b02e46477
                                                                                    • Instruction ID: e1cc8550b0d0b43d353c795142489643baab135f4418e325ad8d6a0064b9bfa3
                                                                                    • Opcode Fuzzy Hash: a624d0e2c9ff2794748e697e4b99d5c3919109395fe673c6d3cbd17b02e46477
                                                                                    • Instruction Fuzzy Hash: 0221C2B1D01259EFDB40DF9AD984ADEFFB4FB48714F10812AE918B7200D374A954CBA5
                                                                                    Function 06473D88 Relevance: .1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 233f6cbb5ae3b850831d4cdab7f0a76c6074d2e55a87e0db99f9aae9f3ca6d1d
                                                                                    • Instruction ID: c5e3c9049bd28abe44c8fa2764c8654d0bc40efb46b636ae31120cafab226262
                                                                                    • Opcode Fuzzy Hash: 233f6cbb5ae3b850831d4cdab7f0a76c6074d2e55a87e0db99f9aae9f3ca6d1d
                                                                                    • Instruction Fuzzy Hash: 4521F2B5C00219DFCB00CF99D984ADEFBB4FB48320F10851AE918B7600D374A954CBA4
                                                                                    Function 00CCD113 Relevance: .1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4618312353.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_ccd000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d995b00d00e55cd09380dc6b4dc9fcb0e4c86312f1f46f4d8748a8c7f78b6f4c
                                                                                    • Instruction ID: c84d14c7c87f5006bdaf73adcf0fdee6d2a7597839ce2ad27d6ff75374e15fd9
                                                                                    • Opcode Fuzzy Hash: d995b00d00e55cd09380dc6b4dc9fcb0e4c86312f1f46f4d8748a8c7f78b6f4c
                                                                                    • Instruction Fuzzy Hash: 6B119DB5504284DFCB05CF10D9C4B19BFB2FB84328F28C6ADD84A4B666C33AD94ACB51
                                                                                    Function 06474318 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cb7fbc0fd89185cd3874ae113bf28514f94c62a860fd68f311cdfb882d6d5860
                                                                                    • Instruction ID: 11532d48a69abcd1b8866c83644f798ad494aa0d00326d21348d6931e9269f08
                                                                                    • Opcode Fuzzy Hash: cb7fbc0fd89185cd3874ae113bf28514f94c62a860fd68f311cdfb882d6d5860
                                                                                    • Instruction Fuzzy Hash: 9A01F431B101114BEBA9957C94157BFBBDADBC9710F10883EE10EC7744ED66EC024381
                                                                                    Function 0647F2A0 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9666ff62d76be5d96fca16409afed602b646315f88e844ecd7e30837bc3a7d4f
                                                                                    • Instruction ID: e08e156882fc03508b707b53e164d27fec87e853102f36c1c458236c6a4234ec
                                                                                    • Opcode Fuzzy Hash: 9666ff62d76be5d96fca16409afed602b646315f88e844ecd7e30837bc3a7d4f
                                                                                    • Instruction Fuzzy Hash: 4501A435B105114FDBA9957C9454BAF7BDADBC9720F10843AF50EC7340EE66DC064395
                                                                                    Function 0647A3F8 Relevance: .0, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5fcc3dd658ae0524e96081f8c881e751ce6a587bc35bfd82706be95f80b4d2c9
                                                                                    • Instruction ID: 32c76a82108bf70f3b40cf0cfc0c4f226cba9e9b64980bce5e8121e2811e8f45
                                                                                    • Opcode Fuzzy Hash: 5fcc3dd658ae0524e96081f8c881e751ce6a587bc35bfd82706be95f80b4d2c9
                                                                                    • Instruction Fuzzy Hash: 6D018131B100204FDB65EA3CD45479FB7D9DB85710F10842AE50EC7345EE22EC425781
                                                                                    Function 06474B61 Relevance: .0, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f1142391cec36721d75e2ee9c4fde8ae839714709b0e43d91c147dbdad83175f
                                                                                    • Instruction ID: d484eacd2e95c09bf93ba349ef90dba24313738ee608049a165a9fb33a1332b9
                                                                                    • Opcode Fuzzy Hash: f1142391cec36721d75e2ee9c4fde8ae839714709b0e43d91c147dbdad83175f
                                                                                    • Instruction Fuzzy Hash: 2BF0DA30A24119EFDB14DF94E899BEEBBB2FF48700F20411AE402A7290CB706D01DBC0
                                                                                    Function 06476570 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.4627166772.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_6470000_CasPol.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 60989437eb31f36a88b24c626a9401e03f262ae62647aa4789d74cd00d0c7935
                                                                                    • Instruction ID: 346e303901a70eb7f4c84063be3c708d0f4b3819d5648b4fafe708c863c4dd21
                                                                                    • Opcode Fuzzy Hash: 60989437eb31f36a88b24c626a9401e03f262ae62647aa4789d74cd00d0c7935
                                                                                    • Instruction Fuzzy Hash: D3E0C270E10208ABDF60CEB4E94579F73AEE705204F2188A6D408CB302E532DA01A780

                                                                                    Executed Functions

                                                                                    Function 01860D60 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.2333358355.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_1860000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: P
                                                                                    • API String ID: 0-3110715001
                                                                                    • Opcode ID: c0834f195f31559e66ab14b141dbb1d50a420f078b9d99c35c683f6c1c925ea4
                                                                                    • Instruction ID: 44450bc6132b478971dc10c05ae18d07577c740a255d833ec51cb700b4da6d35
                                                                                    • Opcode Fuzzy Hash: c0834f195f31559e66ab14b141dbb1d50a420f078b9d99c35c683f6c1c925ea4
                                                                                    • Instruction Fuzzy Hash: C051B671B002199FDB15DB68C850A5EBBF6FF85700F15866AE012EB391DB71ED46C780
                                                                                    Function 01860D50 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.2333358355.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_1860000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: P
                                                                                    • API String ID: 0-3110715001
                                                                                    • Opcode ID: e194b94ce23da9425ed7c81faec10cc9b94d763deb3ab50afa12292831aec8b3
                                                                                    • Instruction ID: c06cf25e8f2316b0d8aa72368f2a9d0d5dde514a0374c2f6a794c7fc24135692
                                                                                    • Opcode Fuzzy Hash: e194b94ce23da9425ed7c81faec10cc9b94d763deb3ab50afa12292831aec8b3
                                                                                    • Instruction Fuzzy Hash: 17417070B006199FDB15DB68C850A6EB7F6FF88700F148669E412EB391DB71AD46CB84
                                                                                    Function 01861510 Relevance: 1.1, Instructions: 1147COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.2333358355.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_1860000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 25040707d2d08d6ef22dd0c571e16a59250c1c7291b04dd6b816937abed901ee
                                                                                    • Instruction ID: d31fa613a34342e72c9380433c4650c720ccaa0021583311eac492affe8ccd53
                                                                                    • Opcode Fuzzy Hash: 25040707d2d08d6ef22dd0c571e16a59250c1c7291b04dd6b816937abed901ee
                                                                                    • Instruction Fuzzy Hash: 05C158356001159FCB15DF68D59CE29BBBAFF88310F4AC498E40ADB6A2CB34EE41CB41
                                                                                    Function 01860FE0 Relevance: .7, Instructions: 665COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.2333358355.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_1860000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7162866619ab32e7b6b1174a26cd899177196ea72d21706a3b15560288d4c227
                                                                                    • Instruction ID: 62507b7b2696a5bc156ff9e73c144a03eb990d050a1e87b35fb739b1e67bc74b
                                                                                    • Opcode Fuzzy Hash: 7162866619ab32e7b6b1174a26cd899177196ea72d21706a3b15560288d4c227
                                                                                    • Instruction Fuzzy Hash: 9851F631A093859FCB069B78D85866E7FB9EFC6310F0580EAE445DB293DA349D06C792
                                                                                    Function 018606E4 Relevance: .2, Instructions: 246COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.2333358355.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_1860000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aec24b82982d2ad8c5d275c19204ab87f1d95df10f08333892fefb0085ba881e
                                                                                    • Instruction ID: 5910a06ce3232b298d87d850ce95e35156ef8effd03d341d7b7fbf1a23b91d09
                                                                                    • Opcode Fuzzy Hash: aec24b82982d2ad8c5d275c19204ab87f1d95df10f08333892fefb0085ba881e
                                                                                    • Instruction Fuzzy Hash: B7319070A04349DFE70ACFB9D805A6ABFB6EBCD300F14D0AAC80897366DA795D45DB11
                                                                                    Function 01860B08 Relevance: .1, Instructions: 111COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.2333358355.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_1860000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d301bcd2a094b0c046b740a4b4f37c6ca57f6d15a1b4f47f6c3975c8dcd2b315
                                                                                    • Instruction ID: d5c320d707c4b77e8c37a479896a3a3a74c8faa99695cbf8b723e48fa3156987
                                                                                    • Opcode Fuzzy Hash: d301bcd2a094b0c046b740a4b4f37c6ca57f6d15a1b4f47f6c3975c8dcd2b315
                                                                                    • Instruction Fuzzy Hash: AC417674B10208DFCB14DF74E498A6EBBB6FF8C710F208569F4069B264DB30A946CB44
                                                                                    Function 018609F0 Relevance: .1, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.2333358355.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_1860000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 293dece6d541f8b06519f90b7e4107414cb9c431e21eb1ded462e03111209a3d
                                                                                    • Instruction ID: 0f65277bfd92f26fb0402972bd83915f6be47c951c89339dcd6cb7545e6b453b
                                                                                    • Opcode Fuzzy Hash: 293dece6d541f8b06519f90b7e4107414cb9c431e21eb1ded462e03111209a3d
                                                                                    • Instruction Fuzzy Hash: CF2149753406118FCB49EB39C49892D7BF6AF8A72171505A8E506CF3B2DE36DC42CB91
                                                                                    Function 01860EF8 Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.2333358355.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_1860000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d67b673d3889556f7a4515cb9ee4fe08ef41e7df2fca5bce8cf39d14bdbc598b
                                                                                    • Instruction ID: da1ec4def8c9ca8337ee6bdccf6e8ad964b57f5d1ecbc33a6fecc154db053dfa
                                                                                    • Opcode Fuzzy Hash: d67b673d3889556f7a4515cb9ee4fe08ef41e7df2fca5bce8cf39d14bdbc598b
                                                                                    • Instruction Fuzzy Hash: A221D130605206CFD7159B78D85462ABBE9FF85310F14C9AAE446CB3A5DB71DC86CB84
                                                                                    Function 01860848 Relevance: .1, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.2333358355.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_1860000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 37af7ddb3960da95bb512996d2e9cc988b6c517616973331f2eca5f6a1dd002d
                                                                                    • Instruction ID: 30ecd7fc9e27d281a65233118dbc9565e3b8782e2c7857873603e967bc66d5bc
                                                                                    • Opcode Fuzzy Hash: 37af7ddb3960da95bb512996d2e9cc988b6c517616973331f2eca5f6a1dd002d
                                                                                    • Instruction Fuzzy Hash: 59214D70A00209DFE709DFAAE945A6ABFB6EBCC300F14D0A9880C57365DA7969459B01
                                                                                    Function 01860969 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.2333358355.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_1860000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2f4c6eda2ab8e01051bc47f366f02e4a7697853db0e97a5b0d700410ef36fedf
                                                                                    • Instruction ID: 1ff4453cd77821e2d6b284d9596b9c81343da2a1bcccd973aa27c8782ddea456
                                                                                    • Opcode Fuzzy Hash: 2f4c6eda2ab8e01051bc47f366f02e4a7697853db0e97a5b0d700410ef36fedf
                                                                                    • Instruction Fuzzy Hash: 40017C76A05209EFCB54DFB8D8085BE7BBAFF49321B14C16AE51AC3251DB319A018F94
                                                                                    Function 01860C73 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.2333358355.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_1860000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f7e8aac36de3378ab56c7cfe918803c7ebaf1b2eb91ddbb060f848d6ff2851da
                                                                                    • Instruction ID: a6fe94f831140eb922404de71050692c438dbd59a52198f321dda00d217e9fe9
                                                                                    • Opcode Fuzzy Hash: f7e8aac36de3378ab56c7cfe918803c7ebaf1b2eb91ddbb060f848d6ff2851da
                                                                                    • Instruction Fuzzy Hash: AF11E034E01208DFEB18DFA5E198A6DBBB2AF88711F208428E402D7265DE749904CF08
                                                                                    Function 01860978 Relevance: .0, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.2333358355.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_1860000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 38fbaf81b701c9acf6ab0209ae5adef237cb560b6660baba15916791ce6d5345
                                                                                    • Instruction ID: f0de09e950e148c3f4bd82a5bbbd2776c20aa9918fafe26eab5ab0080ac8d9ef
                                                                                    • Opcode Fuzzy Hash: 38fbaf81b701c9acf6ab0209ae5adef237cb560b6660baba15916791ce6d5345
                                                                                    • Instruction Fuzzy Hash: A7014671A01208DFCB68EFB8E40957E7BB9FB48321B14C56AE41AD3284DB349A00CF80

                                                                                    Executed Functions

                                                                                    Function 00B10D60 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2415589293.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_b10000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: P
                                                                                    • API String ID: 0-3110715001
                                                                                    • Opcode ID: fb3fbf92c029e86e752d69b506fc09e89f460162b7288e0db45b47ca7d22b8ed
                                                                                    • Instruction ID: f38d7d372262a25de0fedae37a85e767ec5d01e83b4fcae5215c7eca398d432c
                                                                                    • Opcode Fuzzy Hash: fb3fbf92c029e86e752d69b506fc09e89f460162b7288e0db45b47ca7d22b8ed
                                                                                    • Instruction Fuzzy Hash: 0C71A131B002059FDB15EB74C8546AEBBF5FF89300F2586AAD4159B392DB71AC86CB80
                                                                                    Function 00B10D50 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2415589293.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_b10000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: P
                                                                                    • API String ID: 0-3110715001
                                                                                    • Opcode ID: 8fa43ee1cc29ec759fd732f408ec386f730e74d7257918e837af54ef47ff16af
                                                                                    • Instruction ID: bc366208282f0e970e153369903e3f4849137fedcf494f13ec81f86b454f15ea
                                                                                    • Opcode Fuzzy Hash: 8fa43ee1cc29ec759fd732f408ec386f730e74d7257918e837af54ef47ff16af
                                                                                    • Instruction Fuzzy Hash: F9418E71F102099FDB14DB65D450B9EB7F2FF88700F648669E406AB391DB71AD86CB80
                                                                                    Function 00B11510 Relevance: 1.1, Instructions: 1147COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2415589293.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_b10000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ed0a1c2829783caef707cbcb00856835384e8067591c8ca47f60d150bca1e271
                                                                                    • Instruction ID: 7fd5bcd6e3ad1941f02079930ee91960fe52905affb55ab639a62954131c58e0
                                                                                    • Opcode Fuzzy Hash: ed0a1c2829783caef707cbcb00856835384e8067591c8ca47f60d150bca1e271
                                                                                    • Instruction Fuzzy Hash: C6C13035A002118FDB44EF68D5A8E9D77F2BF88300F97C898D5169B262DB74ED82CB44
                                                                                    Function 00B10FE0 Relevance: .6, Instructions: 647COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2415589293.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_b10000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5ab42ff5c465471cba786a6c57af083dac2ceb4c107537300f607d7f7fd7d112
                                                                                    • Instruction ID: 916987b12e6b446317e4984cccd38097b2c59e5d99019fc0bab81fec5ae12968
                                                                                    • Opcode Fuzzy Hash: 5ab42ff5c465471cba786a6c57af083dac2ceb4c107537300f607d7f7fd7d112
                                                                                    • Instruction Fuzzy Hash: AA511635A043948FC706DB78D824AAE7FB5EF85300B4684EAE544CB263CB349C46CB91
                                                                                    Function 00B106E4 Relevance: .2, Instructions: 242COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2415589293.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_b10000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 38e8e881266b454d8eba7f7107246dc2aed220fef0c0fe0e8494dafebf736cc2
                                                                                    • Instruction ID: 6c2530f806f192306533116cf488a62e0a24ece33112e33c32886b0428a6c356
                                                                                    • Opcode Fuzzy Hash: 38e8e881266b454d8eba7f7107246dc2aed220fef0c0fe0e8494dafebf736cc2
                                                                                    • Instruction Fuzzy Hash: 98316F74A04344DFE70ADFBAE965B59BFB2ABCD300F14C0A9C4089726BDB781946DB01
                                                                                    Function 00B10B08 Relevance: .1, Instructions: 109COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2415589293.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_b10000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d83552995d87380fa64f2ba94d2fc540150cd4aaba65153493e20804a87dec76
                                                                                    • Instruction ID: 862e074efe98bd8de1a32bb285b8e06e1e3ca2984f8328218dc252721223cf09
                                                                                    • Opcode Fuzzy Hash: d83552995d87380fa64f2ba94d2fc540150cd4aaba65153493e20804a87dec76
                                                                                    • Instruction Fuzzy Hash: 4E415E34B10204DFDB14EFB5E898AAEBBB2FF8C700B218559E406D7365DB749886CB44
                                                                                    Function 00B109F0 Relevance: .1, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2415589293.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_b10000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 12f76e9db550788a1f768881faa26fdc1ac7002de169e9aadfe4194b1adafd48
                                                                                    • Instruction ID: 6b685281500b1f3f5064915d207ea6088d7ca20b5922f89194ac2f5e724c912d
                                                                                    • Opcode Fuzzy Hash: 12f76e9db550788a1f768881faa26fdc1ac7002de169e9aadfe4194b1adafd48
                                                                                    • Instruction Fuzzy Hash: 9C2108353012118FC759AB39C4A896D7BF6EF8A71535605A8E506CF372DE36DC42CB90
                                                                                    Function 00B10EF0 Relevance: .1, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2415589293.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_b10000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1c59b2d2b5bb591aaa0e32783baba87bdebd45895f422e78813a5e1eeda66152
                                                                                    • Instruction ID: 5953b88131bf21bbc6a54519099e2c5804537621a57169af06ec9f901cbf4b02
                                                                                    • Opcode Fuzzy Hash: 1c59b2d2b5bb591aaa0e32783baba87bdebd45895f422e78813a5e1eeda66152
                                                                                    • Instruction Fuzzy Hash: 9D21A530600212CFDB29EB74986576ABBE5EFC8310B14C5A9E415CB366DB71DC87CB44
                                                                                    Function 00B10848 Relevance: .1, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2415589293.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_b10000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 82090769cd69b57117bc1096bbb2b893c204df62a73e7a3be1788adb7eb79ea1
                                                                                    • Instruction ID: 2a780514641c03b1d6c60afcaf446a6d6693e01ec9c6e5163d15736403faba45
                                                                                    • Opcode Fuzzy Hash: 82090769cd69b57117bc1096bbb2b893c204df62a73e7a3be1788adb7eb79ea1
                                                                                    • Instruction Fuzzy Hash: 55214B74A00344DBE709EFBAE965B59BFA7ABCC300F14C069D4089336AEF781946DB00
                                                                                    Function 00B10EF8 Relevance: .1, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2415589293.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_b10000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2446eb0c673b5386ba2d31be7ad94cc56702b913cd65987993af7f928f5918a4
                                                                                    • Instruction ID: 187444ff5a993d588074070dd6b5e78b2aeb768036d86838d6d32cb1fa8363b3
                                                                                    • Opcode Fuzzy Hash: 2446eb0c673b5386ba2d31be7ad94cc56702b913cd65987993af7f928f5918a4
                                                                                    • Instruction Fuzzy Hash: C511B130600212CBDB29EB75D86576AB7E5EBC8310B24C5AAE4158B365DB71DC86CB84
                                                                                    Function 00B10C73 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2415589293.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_b10000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 13d475367948bb151ffd4cf69124af4018915990a68a10f53e3662da3c338773
                                                                                    • Instruction ID: ea26f0e4c8ba582608a3d2bca67a2c9980d4d24724b8d24aedd77a91fb3578a3
                                                                                    • Opcode Fuzzy Hash: 13d475367948bb151ffd4cf69124af4018915990a68a10f53e3662da3c338773
                                                                                    • Instruction Fuzzy Hash: 57117234E01209EFDB18EBB1E598B9DBBB2AF88611F208469E41297261DE749885CF44
                                                                                    Function 00B1096A Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2415589293.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_b10000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 676ec6f5858cb1d0742b788070a731f0abe331a33c8d16e7dcb57a67b1910df5
                                                                                    • Instruction ID: 7daa9ba5cdb0990a8e4fa966a4a41a31723605de3e345f80ff765c52f1deadab
                                                                                    • Opcode Fuzzy Hash: 676ec6f5858cb1d0742b788070a731f0abe331a33c8d16e7dcb57a67b1910df5
                                                                                    • Instruction Fuzzy Hash: ED01A235D00204CFC744EFB8E8299AD7FB4FF09311B2685AAE416C32A1DB709845CF80
                                                                                    Function 00B10978 Relevance: .0, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000D.00000002.2415589293.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_13_2_b10000_newapp.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 770bac98a49eb78791bc80ef526f7ce03606a191c9450e53ed89df7b05548ced
                                                                                    • Instruction ID: 19370a4330cfc30f26c956900a2e9313cc86c2e97e14fb5dac96686a53a687d8
                                                                                    • Opcode Fuzzy Hash: 770bac98a49eb78791bc80ef526f7ce03606a191c9450e53ed89df7b05548ced
                                                                                    • Instruction Fuzzy Hash: 1F018131900214CFCB44EFB8E8289AE7BB5FB48311B22856AE416D32A1DF749D41CF84