Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ-004282A.Teknolojileri A.S.exe

Overview

General Information

Sample name:RFQ-004282A.Teknolojileri A.S.exe
Analysis ID:1573521
MD5:6ea849b727eea7b7487aa0941258f8bd
SHA1:6fca473e6498bde1b015e95fd612d156727a19fc
SHA256:f6e159f0e6c27e334d951dd08dff7819878b7ac4318b5dcd1a2d9975062ab8d1
Tags:AgentTeslaexegeoTURuser-abuse_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Disables UAC (registry)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ-004282A.Teknolojileri A.S.exe (PID: 2928 cmdline: "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" MD5: 6EA849B727EEA7B7487AA0941258F8BD)
    • conhost.exe (PID: 2636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 6564 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 7120 cmdline: C:\Windows\system32\WerFault.exe -u -p 2928 -s 1132 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • newapp.exe (PID: 1892 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • newapp.exe (PID: 5968 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "ben@ercolina-usa.com", "Password": "nXe0M~WkW&nJ"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000005.00000002.4534794100.0000000002E3C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.4534794100.0000000002E11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000002.4534794100.0000000002E11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.4532768397.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33bdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33c4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33cd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33d6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33dd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33e46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33edc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33f6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x30dec:$s2: GetPrivateProfileString
                • 0x30472:$s3: get_OSFullName
                • 0x31b69:$s5: remove_Key
                • 0x31d29:$s5: remove_Key
                • 0x32ca1:$s6: FtpWebRequest
                • 0x33bbe:$s7: logins
                • 0x34130:$s7: logins
                • 0x36e41:$s7: logins
                • 0x36ef3:$s7: logins
                • 0x389be:$s7: logins
                • 0x37a8d:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 15 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe", ParentImage: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe, ParentProcessId: 2928, ParentProcessName: RFQ-004282A.Teknolojileri A.S.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -Force, ProcessId: 5816, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newapp\newapp.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6564, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newapp
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe", ParentImage: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe, ParentProcessId: 2928, ParentProcessName: RFQ-004282A.Teknolojileri A.S.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -Force, ProcessId: 5816, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe", ParentImage: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe, ParentProcessId: 2928, ParentProcessName: RFQ-004282A.Teknolojileri A.S.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -Force, ProcessId: 5816, ProcessName: powershell.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 5.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "ben@ercolina-usa.com", "Password": "nXe0M~WkW&nJ"}
                  Multi AV Scanner detection for submitted file
                  Source: RFQ-004282A.Teknolojileri A.S.exeVirustotal: Detection: 33%Perma Link
                  Source: RFQ-004282A.Teknolojileri A.S.exeReversingLabs: Detection: 34%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: RFQ-004282A.Teknolojileri A.S.exeJoe Sandbox ML: detected

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ-004282A.Teknolojileri A.S.exe PID: 2928, type: MEMORYSTR
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: RFQ-004282A.Teknolojileri A.S.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: System.ni.pdbRSDS source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: Microsoft.CSharp.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404604728.0000029D8CF54000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: RegAsm.pdb source: newapp.exe, 0000000B.00000000.2247594013.0000000000562000.00000002.00000001.01000000.00000009.sdmp, newapp.exe.5.dr
                  Source: Binary string: System.Drawing.ni.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: RFQ-004282A.Teknolojileri A.S.PDB source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404366100.000000EA73563000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.PDB> source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404366100.000000EA73563000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb3 source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA73A6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdbph source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA73A6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404604728.0000029D8CF54000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdbH source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404604728.0000029D8CF54000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA73A6000.00000004.00000020.00020000.00000000.sdmp, WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA73A6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404366100.000000EA73563000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Dynamic.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.pdb0 source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA7325000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404604728.0000029D8CFC6000.00000004.00000020.00020000.00000000.sdmp, RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA73A6000.00000004.00000020.00020000.00000000.sdmp, WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA73A6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: pC:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.PDB source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404366100.000000EA73563000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Core.pdbesH source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA7325000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: RegAsm.pdb4 source: newapp.exe, 0000000B.00000000.2247594013.0000000000562000.00000002.00000001.01000000.00000009.sdmp, newapp.exe.5.dr
                  Source: Binary string: System.Core.pdbk source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404604728.0000029D8CFC6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.PDB@:= source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404366100.000000EA73563000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER30C2.tmp.dmp.8.dr
                  Source: Joe Sandbox ViewIP Address: 192.254.225.136 192.254.225.136
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: ftp.ercolina-usa.com
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4534794100.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4534794100.0000000002E3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ercolina-usa.com
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4534794100.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4534794100.0000000002E3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.ercolina-usa.com
                  Source: newapp.exe, 0000000D.00000002.2333404293.0000000000978000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.ch
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2406340649.0000029D9EC01000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4532768397.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2406340649.0000029D9EC01000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4532768397.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4534794100.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, SKTzxzsJw.cs.Net Code: KdRT1gFnIpl
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.raw.unpack, SKTzxzsJw.cs.Net Code: KdRT1gFnIpl
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: RFQ-004282A.Teknolojileri A.S.exe
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F20A740_2_00007FF848F20A74
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F2213F0_2_00007FF848F2213F
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F4B4600_2_00007FF848F4B460
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F4B3E80_2_00007FF848F4B3E8
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F22CF80_2_00007FF848F22CF8
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F4D0080_2_00007FF848F4D008
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F22F480_2_00007FF848F22F48
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F22F800_2_00007FF848F22F80
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F4B4500_2_00007FF848F4B450
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF8490306BB0_2_00007FF8490306BB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_010BEA3D5_2_010BEA3D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_010B4A685_2_010B4A68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_010BADA15_2_010BADA1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_010B3E505_2_010B3E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_010B41985_2_010B4198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066E47845_2_066E4784
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066E6A135_2_066E6A13
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066E1B705_2_066E1B70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066E1F285_2_066E1F28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066E5D485_2_066E5D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066E5D435_2_066E5D43
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066F7E685_2_066F7E68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066F66E05_2_066F66E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066F56B05_2_066F56B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066F35705_2_066F3570
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066FC2685_2_066FC268
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066FB3075_2_066FB307
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066F77885_2_066F7788
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066FE4985_2_066FE498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066F5DD75_2_066F5DD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066F00405_2_066F0040
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2928 -s 1132
                  Source: RFQ-004282A.Teknolojileri A.S.exeStatic PE information: No import functions for PE file found
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000000.2064045283.0000029D8CDA2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameConsoleApplication2.exeH vs RFQ-004282A.Teknolojileri A.S.exe
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2406340649.0000029D9EC01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4050351b-3b81-4030-83d1-4403e211abfe.exe4 vs RFQ-004282A.Teknolojileri A.S.exe
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2406340649.0000029D9EC01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOdogogisoJ vs RFQ-004282A.Teknolojileri A.S.exe
                  Source: RFQ-004282A.Teknolojileri A.S.exeBinary or memory string: OriginalFilenameConsoleApplication2.exeH vs RFQ-004282A.Teknolojileri A.S.exe
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: RFQ-004282A.Teknolojileri A.S.exe, -----.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@12/14@2/2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\newappJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMutant created: NULL
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2928
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3964:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2636:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:408:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wkrampcq.j41.ps1Jump to behavior
                  Source: RFQ-004282A.Teknolojileri A.S.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: RFQ-004282A.Teknolojileri A.S.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RFQ-004282A.Teknolojileri A.S.exeVirustotal: Detection: 33%
                  Source: RFQ-004282A.Teknolojileri A.S.exeReversingLabs: Detection: 34%
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeFile read: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe"
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -Force
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2928 -s 1132
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -ForceJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: RFQ-004282A.Teknolojileri A.S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: RFQ-004282A.Teknolojileri A.S.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: System.ni.pdbRSDS source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: Microsoft.CSharp.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb[ source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404604728.0000029D8CF54000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: RegAsm.pdb source: newapp.exe, 0000000B.00000000.2247594013.0000000000562000.00000002.00000001.01000000.00000009.sdmp, newapp.exe.5.dr
                  Source: Binary string: System.Drawing.ni.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: RFQ-004282A.Teknolojileri A.S.PDB source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404366100.000000EA73563000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.PDB> source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404366100.000000EA73563000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb3 source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA73A6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdbph source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA73A6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404604728.0000029D8CF54000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdbH source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404604728.0000029D8CF54000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA73A6000.00000004.00000020.00020000.00000000.sdmp, WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA73A6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404366100.000000EA73563000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Dynamic.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Windows.Forms.pdb0 source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Drawing.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA7325000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404604728.0000029D8CFC6000.00000004.00000020.00020000.00000000.sdmp, RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA73A6000.00000004.00000020.00020000.00000000.sdmp, WER30C2.tmp.dmp.8.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA73A6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: pC:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.PDB source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404366100.000000EA73563000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.Core.pdbesH source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2407649607.0000029DA7325000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: RegAsm.pdb4 source: newapp.exe, 0000000B.00000000.2247594013.0000000000562000.00000002.00000001.01000000.00000009.sdmp, newapp.exe.5.dr
                  Source: Binary string: System.Core.pdbk source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404604728.0000029D8CFC6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.PDB@:= source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2404366100.000000EA73563000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER30C2.tmp.dmp.8.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER30C2.tmp.dmp.8.dr
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F22CF8 push ss; retn 5F4Bh0_2_00007FF848F46317
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F2D225 push ebp; iretd 0_2_00007FF848F2D228
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F2595B pushfd ; retf 0_2_00007FF848F25991
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F28169 push ebx; ret 0_2_00007FF848F2816A
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F259A5 push edx; retf 0_2_00007FF848F259DB
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF848F200BD pushad ; iretd 0_2_00007FF848F200C1
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeCode function: 0_2_00007FF8490306BB push esp; retf 4810h0_2_00007FF849030762
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_010B0C55 push ebx; retf 5_2_010B0C52
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_010B0C6D push edi; retf 5_2_010B0C7A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_010B0CCB push edi; retf 5_2_010B0C7A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066E5350 pushfd ; ret 5_2_066E5669
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066EAF02 push es; ret 5_2_066EAF10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066E68E3 push esp; retf 5_2_066E68E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066E68E0 pushad ; retf 5_2_066E68E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066E5663 pushfd ; ret 5_2_066E5669
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_066EF550 push es; ret 5_2_066EF560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newappJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newappJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: RFQ-004282A.Teknolojileri A.S.exe PID: 2928, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeMemory allocated: 29D8D0D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeMemory allocated: 29DA6BF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 10B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2AE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: EA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 2810000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 4810000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: B20000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 2750000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 2550000 memory reserve | memory write watch
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599641Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599063Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596811Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596699Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596355Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596249Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594320Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594180Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5908Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3835Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2004Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7835Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3176Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep count: 34 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2892Thread sleep count: 2004 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -599891s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -599766s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2892Thread sleep count: 7835 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -599641s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -599531s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -599422s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -599313s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -599188s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -599063s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -598953s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -598844s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -598719s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -598610s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -598485s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -598360s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -598235s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -598110s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -597985s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -597860s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -597735s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -597610s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -597485s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -597359s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -597250s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -597140s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -597031s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -596922s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -596811s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -596699s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -596594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -596469s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -596355s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -596249s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -596141s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -596031s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -595922s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -595812s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -595703s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -595594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -595484s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -595375s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -595266s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -595141s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -595016s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -594906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -594797s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -594688s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -594563s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -594437s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -594320s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4204Thread sleep time: -594180s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1656Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1520Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599641Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599063Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596811Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596699Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596355Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596249Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594688Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594320Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594180Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477
                  Source: Amcache.hve.8.drBinary or memory string: VMware
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                  Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                  Source: RegAsm.exe, 00000005.00000002.4539321274.0000000006110000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnt32
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                  Source: RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                  Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -Force
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -ForceJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 442000Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CCA008Jump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -ForceJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002FB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <b>[ Program Manager]</b> (12/12/2024 06:38:34)<br>{Win}r<br><b>[ C:\Users\user\AppData\Roaming\newapp\newapp.exe]</b> (12/12/2024 18:19:49)<br>{Win}THuq
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002FB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002FB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <b>[ Program Manager]</b> (12/12/2024 06:38:34)<br>{Win}r<br><b>[ C:\Users\user\AppData\Roaming\newapp\newapp.exe]</b> (12/12/2024 18:19:49)<br>
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002FB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $pq3<b>[ Program Manager]</b> (12/12/2024 06:38:34)<br>
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002FB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $pq=<b>[ Program Manager]</b> (12/12/2024 06:38:34)<br>{Win}r<br>t-pq
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002FB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $pq9<b>[ Program Manager]</b> (12/12/2024 06:38:34)<br>{Win}rTHuq
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002FB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <b>[ Program Manager]</b> (12/12/2024 06:38:34)<br>{Win}r<br><b>[ C:\Users\user\AppData\Roaming\newapp\newapp.exe]</b> (12/12/2024 18:19:49)<br>{Win}rTHuq
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002FD3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <html>Time: 12/28/2024 01:57:08<br>User Name: user<br>Computer Name: 367706<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.175<br><hr><b>[ Program Manager]</b> (12/12/2024 06:38:34)<br>{Win}r<br><b>[ C:\Users\user\AppData\Roaming\newapp\newapp.exe]</b> (12/12/2024 18:19:49)<br>{Win}r</html>
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002FB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLRpq
                  Source: RegAsm.exe, 00000005.00000002.4534794100.0000000002FB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $pq8<b>[ Program Manager]</b> (12/12/2024 06:38:34)<br>{Win}THuq
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeQueries volume information: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Disables UAC (registry)
                  Source: C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                  Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4534794100.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4534794100.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4532768397.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2406340649.0000029D9EC01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ-004282A.Teknolojileri A.S.exe PID: 2928, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6564, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4534794100.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4532768397.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2406340649.0000029D9EC01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ-004282A.Teknolojileri A.S.exe PID: 2928, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6564, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec7bf08.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ-004282A.Teknolojileri A.S.exe.29d9ec3ecc0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4534794100.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4534794100.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4532768397.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2406340649.0000029D9EC01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ-004282A.Teknolojileri A.S.exe PID: 2928, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6564, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		21
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Registry Run Keys / Startup Folder                  		212
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Registry Run Keys / Startup Folder                  		1
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		231
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  DLL Side-Loading                  		NTDS2
                  Process Discovery                  		Distributed Component Object Model21
                  Input Capture                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Masquerading                  		LSA Secrets151
                  Virtualization/Sandbox Evasion                  		SSH1
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts151
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items212
                  Process Injection                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Hidden Files and Directories                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573521 Sample: RFQ-004282A.Teknolojileri A.S.exe Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 34 ftp.ercolina-usa.com 2->34 36 ercolina-usa.com 2->36 38 api.ipify.org 2->38 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 9 other signatures 2->60 8 RFQ-004282A.Teknolojileri A.S.exe 1 4 2->8         started        11 newapp.exe 2 2->11         started        13 newapp.exe 2->13         started        signatures3 process4 signatures5 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->62 64 Writes to foreign memory regions 8->64 66 Adds a directory exclusion to Windows Defender 8->66 68 2 other signatures 8->68 15 RegAsm.exe 16 4 8->15         started        20 powershell.exe 23 8->20         started        22 WerFault.exe 19 16 8->22         started        24 conhost.exe 8->24         started        26 conhost.exe 11->26         started        28 conhost.exe 13->28         started        process6 dnsIp7 40 ercolina-usa.com 192.254.225.136, 21, 49706, 49708 UNIFIEDLAYER-AS-1US United States 15->40 42 api.ipify.org 172.67.74.152, 443, 49704 CLOUDFLARENETUS United States 15->42 32 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 15->32 dropped 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->44 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->46 48 Tries to steal Mail credentials (via file / registry access) 15->48 52 4 other signatures 15->52 50 Loading BitLocker PowerShell Module 20->50 30 conhost.exe 20->30         started        file8 signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  RFQ-004282A.Teknolojileri A.S.exe33%VirustotalBrowse
                  RFQ-004282A.Teknolojileri A.S.exe34%ReversingLabsWin64.Trojan.Cerbu
                  RFQ-004282A.Teknolojileri A.S.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\newapp\newapp.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  ercolina-usa.com0%VirustotalBrowse
                  ftp.ercolina-usa.com3%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://go.microsoft.ch0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ercolina-usa.com
                  		192.254.225.136
                  		truetrueunknown
                  api.ipify.org
                  		172.67.74.152
                  		truefalse
                    		high
                    ftp.ercolina-usa.com
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://api.ipify.orgRFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2406340649.0000029D9EC01000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4532768397.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4534794100.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://upx.sf.netAmcache.hve.8.drfalse
                          		high
                          https://account.dyn.com/RFQ-004282A.Teknolojileri A.S.exe, 00000000.00000002.2406340649.0000029D9EC01000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4532768397.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.org/tRegAsm.exe, 00000005.00000002.4534794100.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://go.microsoft.chnewapp.exe, 0000000D.00000002.2333404293.0000000000978000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000005.00000002.4534794100.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ftp.ercolina-usa.comRegAsm.exe, 00000005.00000002.4534794100.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4534794100.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4534794100.0000000002E3C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://ercolina-usa.comRegAsm.exe, 00000005.00000002.4534794100.0000000002FD3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4534794100.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.4534794100.0000000002E3C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    192.254.225.136
                                    		ercolina-usa.comUnited States
                                    		46606UNIFIEDLAYER-AS-1UStrue
                                    172.67.74.152
                                    		api.ipify.orgUnited States
                                    		13335CLOUDFLARENETUSfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1573521
                                    Start date and time:2024-12-12 07:58:19 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 8m 28s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:16
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:RFQ-004282A.Teknolojileri A.S.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.expl.evad.winEXE@12/14@2/2
                                    EGA Information:
                                    • Successful, ratio: 50%
                                    HCA Information:
                                    • Successful, ratio: 61%
                                    • Number of executed functions: 110
                                    • Number of non-executed functions: 7
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.190.147.0, 13.107.246.63, 20.109.210.53
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target newapp.exe, PID 1892 because it is empty
                                    • Execution Graph export aborted for target newapp.exe, PID 5968 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    01:59:16API Interceptor18x Sleep call for process: powershell.exe modified
                                    01:59:18API Interceptor10998958x Sleep call for process: RegAsm.exe modified
                                    01:59:45API Interceptor1x Sleep call for process: WerFault.exe modified
                                    07:59:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                    07:59:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    192.254.225.136QUOTATION#08670.exeGet hashmaliciousAgentTeslaBrowse
                                      SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                        TECHNICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                          uLFOeGZaJS.exeGet hashmaliciousAgentTeslaBrowse
                                            RICHIESTA D'OFFERTA.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                              QUOTATION#09678.exeGet hashmaliciousAgentTeslaBrowse
                                                PURCHASE SPCIFICIATIONS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  LISTA DE COTIZACIONES.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    QUOTATION#5400.exeGet hashmaliciousAgentTeslaBrowse
                                                      QUOTATION#2800-QUANTUM MACTOOLS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        172.67.74.152jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/?format=text
                                                        malware.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                        • api.ipify.org/
                                                        Simple1.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        Simple2.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                                        • api.ipify.org/
                                                        Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        api.ipify.orgEmployee_Letter.pdfGet hashmaliciousHTMLPhisherBrowse
                                                        • 104.26.12.205
                                                        discord.exeGet hashmaliciousUnknownBrowse
                                                        • 172.67.74.152
                                                        jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                                        • 172.67.74.152
                                                        QUOTATION#08670.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        INVOICE NO. USF23-24072 IGR23110.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        EEMsLiXoiTzoaDd.scrGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 172.67.74.152
                                                        Statement 2024-11-29 (K07234).exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        Employee_Letter.pdfGet hashmaliciousHTMLPhisherBrowse
                                                        • 104.26.13.205
                                                        1mr7lpFIVI.exeGet hashmaliciousUnknownBrowse
                                                        • 104.26.12.205

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        UNIFIEDLAYER-AS-1UShttps://analytics-prd.aws.wehaa.net/trackings?value=1&action=click&category=external&origin=detailpage&url=http://notifix.info/scales/ec49f59be146f69f3ea00c211d5cccd90524b2cf7f8aec665534fc020c910734b9e18d0945bd518a0e55b407c5bf7443cf6179/paige_williams@newyorker.com&cat=firstpage&label_item_id=9633&label_owner_id=646&label_url=http://notifix.info/scales/ec49f59be146f69f3ea00c211d5cccd90524b2cf7f8aec665534fc020c910734b9e18d0945bd518a0e55b407c5bf7443cf6179/paige_williams@newyorker.com&idle=8d15bf95831b32126e4b3bd02a20cf592eade0e3442422aeaf0db14b2e91ae186a5549c468519863594ece59910ee541&tenant=minnesotastate.jobsGet hashmaliciousCaptcha PhishBrowse
                                                        • 192.185.149.80
                                                        https://analytics-prd.aws.wehaa.net/trackings?value=1&action=click&category=external&origin=detailpage&url=http://notifix.info/scales/0af634fca2eaf3a11c0597691f5616c7d16f5580d650d17201024b374ebe92a8e0c492c822b6be6f4332bb93acc2ba02298f78/christa_sgobba@condenast.com&cat=firstpage&label_item_id=9633&label_owner_id=646&label_url=http://notifix.info/scales/0af634fca2eaf3a11c0597691f5616c7d16f5580d650d17201024b374ebe92a8e0c492c822b6be6f4332bb93acc2ba02298f78/christa_sgobba@condenast.com&idle=8d15bf95831b32126e4b3bd02a20cf592eade0e3442422aeaf0db14b2e91ae186a5549c468519863594ece59910ee541&tenant=minnesotastate.jobsGet hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                        • 192.185.149.80
                                                        REMITTANCE_10023Tdcj.htmlGet hashmaliciousUnknownBrowse
                                                        • 69.49.245.172
                                                        arm5.elfGet hashmaliciousMiraiBrowse
                                                        • 162.240.133.182
                                                        mpsl.elfGet hashmaliciousMiraiBrowse
                                                        • 162.144.117.232
                                                        Review_Approval_rocjr.pdfGet hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                        • 108.167.188.182
                                                        vFile__0054seconds__Arkansas.htmlGet hashmaliciousUnknownBrowse
                                                        • 69.49.245.172
                                                        vReport__43281seconds__Ccorralejo.htmlGet hashmaliciousUnknownBrowse
                                                        • 69.49.245.172
                                                        http://www.recorderkorea.com/shop/proc/indb.cart.tab.php?action=ok&tab=today&type=delete&returnUrl=https://23058.hicleanly.ca/uoeujd/shuhsdy/odog/kratos/REDIRECT/Zl2jyY/compliance@yourmom.comGet hashmaliciousUnknownBrowse
                                                        • 192.185.77.62
                                                        Quotation 241211.htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 192.185.120.55
                                                        CLOUDFLARENETUShesaphareketi-01.pdfsxlx..exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.67.152
                                                        41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousMassLogger RATBrowse
                                                        • 104.21.67.152
                                                        Strait STS.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 172.67.216.143
                                                        Captcha.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                                        • 172.67.206.64
                                                        malware.ps1Get hashmaliciousMassLogger RATBrowse
                                                        • 104.21.67.152
                                                        https://analytics-prd.aws.wehaa.net/trackings?value=1&action=click&category=external&origin=detailpage&url=http://notifix.info/scales/ec49f59be146f69f3ea00c211d5cccd90524b2cf7f8aec665534fc020c910734b9e18d0945bd518a0e55b407c5bf7443cf6179/paige_williams@newyorker.com&cat=firstpage&label_item_id=9633&label_owner_id=646&label_url=http://notifix.info/scales/ec49f59be146f69f3ea00c211d5cccd90524b2cf7f8aec665534fc020c910734b9e18d0945bd518a0e55b407c5bf7443cf6179/paige_williams@newyorker.com&idle=8d15bf95831b32126e4b3bd02a20cf592eade0e3442422aeaf0db14b2e91ae186a5549c468519863594ece59910ee541&tenant=minnesotastate.jobsGet hashmaliciousCaptcha PhishBrowse
                                                        • 104.21.80.1
                                                        https://analytics-prd.aws.wehaa.net/trackings?value=1&action=click&category=external&origin=detailpage&url=http://notifix.info/scales/0af634fca2eaf3a11c0597691f5616c7d16f5580d650d17201024b374ebe92a8e0c492c822b6be6f4332bb93acc2ba02298f78/christa_sgobba@condenast.com&cat=firstpage&label_item_id=9633&label_owner_id=646&label_url=http://notifix.info/scales/0af634fca2eaf3a11c0597691f5616c7d16f5580d650d17201024b374ebe92a8e0c492c822b6be6f4332bb93acc2ba02298f78/christa_sgobba@condenast.com&idle=8d15bf95831b32126e4b3bd02a20cf592eade0e3442422aeaf0db14b2e91ae186a5549c468519863594ece59910ee541&tenant=minnesotastate.jobsGet hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                        • 172.67.157.142
                                                        REMITTANCE_10023Tdcj.htmlGet hashmaliciousUnknownBrowse
                                                        • 104.17.25.14
                                                        phish_alert_iocp_v1.4.48 - 2024-12-11T151927.331.emlGet hashmaliciousUnknownBrowse
                                                        • 104.17.25.14
                                                        SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                        • 172.67.176.240

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0eStrait STS.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 172.67.74.152
                                                        Shipping Documents.exeGet hashmaliciousMassLogger RATBrowse
                                                        • 172.67.74.152
                                                        https://computeroids.com/hp-printer-driver?utm_source=Google&utm_medium=Click&utm_campaign=HP&utm_term=%7Bkeywords%7D&utm_content=%7Bmedium%7D&tm=tt&ap=gads&aaid=adaHxflMmgPq7&camp_id=12260099411&ad_g_id=118845692873&keyword=install%20hp%20printer%20to%20computer&device=c&network=searchAd&adposition=&gad_source=5&gclid=EAIaIQobChMI0JDUvuabigMV_Uf_AR2MuQCMEAAYASAAEgKQMPD_BwEGet hashmaliciousPureLog StealerBrowse
                                                        • 172.67.74.152
                                                        https://owotabua.cloudfederalservices.com/F3A4kGet hashmaliciousUnknownBrowse
                                                        • 172.67.74.152
                                                        https://securee103.z13.web.core.windows.net/winside/00Windbndktw0win11advance/index.html#Get hashmaliciousTechSupportScamBrowse
                                                        • 172.67.74.152
                                                        c2.htaGet hashmaliciousXWormBrowse
                                                        • 172.67.74.152
                                                        Agreement ATT Confidential -16_08_52-{DATE).docxGet hashmaliciousUnknownBrowse
                                                        • 172.67.74.152
                                                        T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 172.67.74.152
                                                        wi86CSarYC.exeGet hashmaliciousDanaBotBrowse
                                                        • 172.67.74.152

                                                        Dropped Files

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        C:\Users\user\AppData\Roaming\newapp\newapp.exec2.htaGet hashmaliciousXWormBrowse
                                                          c2.htaGet hashmaliciousXWormBrowse
                                                            PQwHxAiBGt.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                              P0J8k3LhVV.exeGet hashmaliciousNanocoreBrowse
                                                                NIENrB5r6b.exeGet hashmaliciousXWormBrowse
                                                                  DM6vAAgoCw.exeGet hashmaliciousOrcus, XmrigBrowse
                                                                    File.exeGet hashmaliciousOrcus, XmrigBrowse
                                                                      file.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                        yhYrGCKq9s.exeGet hashmaliciousRedLineBrowse
                                                                          file.exeGet hashmaliciousXWormBrowse

                                                                            Created / dropped Files

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RFQ-004282A.Tekn_3376a04a8fb3d551c3693f814bceb20c9d6616e_65fb8f00_46b9894a-d7d1-4e09-89f3-94278e78b811\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):1.1646015717336093
                                                                            Encrypted:false
                                                                            SSDEEP:192:x61GXKSjZmKon0M9osslaWBBotixhzuiFIZ24lO8g9WU:GUZtDM9o9amRnzuiFIY4lO8I
                                                                            MD5:AC3F8613C67F19404EF36F4E71CB8E4F
                                                                            SHA1:F918F056C7E26E2BAF9E57B238E896C1D37569C1
                                                                            SHA-256:2E1BBF5548A26964CDF11755D5127329844A17837C77E6AEB2198831825E18D2
                                                                            SHA-512:2A8403FB6A39D49C2DED21BC217D6585B8CEFF70AB6968930F89AA814980A9A50CBF6929DD0E6A66EE1C978005D4A69E6BF42C2895EDF74F5800A1900CC0ABD3
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.4.6.0.3.5.5.4.5.0.8.6.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.4.6.0.3.5.6.3.4.1.4.8.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.b.9.8.9.4.a.-.d.7.d.1.-.4.e.0.9.-.8.9.f.3.-.9.4.2.7.8.e.7.8.b.8.1.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.3.2.d.0.3.e.-.f.3.5.9.-.4.0.4.3.-.b.e.b.2.-.1.7.8.e.d.3.2.5.d.5.5.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.R.F.Q.-.0.0.4.2.8.2.A...T.e.k.n.o.l.o.j.i.l.e.r.i. .A...S...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.o.n.s.o.l.e.A.p.p.l.i.c.a.t.i.o.n.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.7.0.-.0.0.0.1.-.0.0.1.4.-.5.9.b.f.-.1.0.5.9.6.3.4.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.d.c.b.f.4.1.1.f.6.6.d.4.5.5.e.6.0.e.4.3.6.2.c.d.b.d.5.d.b.0.a.0.0.0.0.0.0.0.0.!.0.0.0.0.6.f.c.a.4.7.3.e.6.4.9.8.b.d.e.1.b.0.1.5.e.9.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER30C2.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 16 streams, Thu Dec 12 06:59:15 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):493673
                                                                            Entropy (8bit):3.3173358444166827
                                                                            Encrypted:false
                                                                            SSDEEP:3072:qsCzY8UqBllBVK78lpo4ztxcS/sDEjqb5D1j785sBspF1CCqKF7HHt3+vzocqjw:qsCz3U4llBk7y/Qsjqw3Qz
                                                                            MD5:348FFA0B638461826BD70055D12CA1DF
                                                                            SHA1:2CDE83BA699AD5504E4BF648665F576B4F3B1B2B
                                                                            SHA-256:2BAB7F4A20B06457D4BD02C8A499C345A3D5B0BD71450A1388D9CD2A2A292FFB
                                                                            SHA-512:D4C57D6393C48D2A318809BA0F9766C961037A14E9A3F795516CCC6A74E3DCB00E79B2FFCE5A00E3EBA112D6ACD12904CC62267F7964DC3B959D9E312A4A5E12
                                                                            Malicious:false
                                                                            Preview:MDMP..a..... ........Zg............t...........H...........$....%.......3...&.......o..............l.......8...........T............9...N...........Y...........[..............................................................................eJ......X\......Lw......................T.......p.....Zg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3305.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):8688
                                                                            Entropy (8bit):3.711463109046574
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJPee4e6YEIIs1gmfZHwzprp89bLK5fC5m:R6lXJ3h6YEXs1gmfa4L0fF
                                                                            MD5:31162F5C9AAB0AF808FF6A04FEECC4A3
                                                                            SHA1:CDE421FA50CDAB76821798335B4ABB9158BE3AF7
                                                                            SHA-256:5F293ADFF2C7677309B104B3D99EB652C573E57CEFED447EBDFE294E780C8E03
                                                                            SHA-512:1879262D4AD5213D9C69A061B19B7E1EC324830E375E161671860D48A3B692170BD9584AD5E86A0466FFAA1722657C846C84CBC9813D8DF625157A7E3481C32C
                                                                            Malicious:false
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.2.8.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3354.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4909
                                                                            Entropy (8bit):4.551739360794368
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zshJg771I9mBWpW8VYIYm8M4JeExF+Wyq8vKEdijEYzond:uIjfzI7tQ7VYJPFWz0jEYzond
                                                                            MD5:045F6A851D5DA0A88039BDBF802F1D8C
                                                                            SHA1:97D9BD1A918A87AAC924C15EF04A553DCC194B38
                                                                            SHA-256:A9C9BFFFDF6577246A702B56C822250623B1A9DA7AFC9B7A9634AD76033A1A78
                                                                            SHA-512:3BEE493308E3B0D03CCA4078B533DA37813BFE9F0FCBC18C6393136711C6E45EABEA218046450D3571C84052A61E93D38DAAAADEF6C1A77FD559EF034BD46E6D
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="627721" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:modified
                                                                            Size (bytes):42
                                                                            Entropy (8bit):4.0050635535766075
                                                                            Encrypted:false
                                                                            SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                            MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                            SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                            SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                            SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                            Malicious:false
                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):64
                                                                            Entropy (8bit):1.1940658735648508
                                                                            Encrypted:false
                                                                            SSDEEP:3:Nlllulbnolz:NllUc
                                                                            MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                            SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                            SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                            SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                            Malicious:false
                                                                            Preview:@...e................................................@..........

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3dzqktk.yg2.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p10qbp1x.yyj.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wkrampcq.j41.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xoig1ilu.lf5.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Roaming\newapp\newapp.exe

                                                                            Download File
                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:modified
                                                                            Size (bytes):65440
                                                                            Entropy (8bit):6.049806962480652
                                                                            Encrypted:false
                                                                            SSDEEP:768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
                                                                            MD5:0D5DF43AF2916F47D00C1573797C1A13
                                                                            SHA1:230AB5559E806574D26B4C20847C368ED55483B0
                                                                            SHA-256:C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
                                                                            SHA-512:F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
                                                                            Malicious:false
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: c2.hta, Detection: malicious, Browse
                                                                            • Filename: c2.hta, Detection: malicious, Browse
                                                                            • Filename: PQwHxAiBGt.exe, Detection: malicious, Browse
                                                                            • Filename: P0J8k3LhVV.exe, Detection: malicious, Browse
                                                                            • Filename: NIENrB5r6b.exe, Detection: malicious, Browse
                                                                            • Filename: DM6vAAgoCw.exe, Detection: malicious, Browse
                                                                            • Filename: File.exe, Detection: malicious, Browse
                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                            • Filename: yhYrGCKq9s.exe, Detection: malicious, Browse
                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                            Download File
                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                            Category:dropped
                                                                            Size (bytes):1835008
                                                                            Entropy (8bit):4.421864134245492
                                                                            Encrypted:false
                                                                            SSDEEP:6144:5Svfpi6ceLP/9skLmb0OTXWSPHaJG8nAgeMZMMhA2fX4WABlEnNp0uhiTw:wvloTXW+EZMM6DFyr03w
                                                                            MD5:39CE3007376A4BA08FD6BC688D69CEC3
                                                                            SHA1:41915BA6C0E131554F509DB832ACAC9FBC5602A6
                                                                            SHA-256:753CCDB3F3FFB591A4105F589F39FAF052DCAF7C2F5C0D8DEACC69248E897BCE
                                                                            SHA-512:7B9D142156B686B551B0CE429F5706C0E8639DCCE36E28DC42AE75FEDF120F2590C3E3F6DE3E8B2AFA2A24345C8856A1B37FB03AB470DC8E9879374568FCEFCB
                                                                            Malicious:false
                                                                            Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..1[cL..............................................................................................................................................................................................................................................................................................................................................St&o........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            \Device\ConDrv

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1049
                                                                            Entropy (8bit):4.286073681226177
                                                                            Encrypted:false
                                                                            SSDEEP:24:z3d3+DO/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zNODBXZxo4ABV+SrUYE
                                                                            MD5:402278578416001C915480C7040F2964
                                                                            SHA1:B4833865ECE3609EC213509D4AB7D7A195C00753
                                                                            SHA-256:86E0747C9B54AA9AACB788589E70E19279DF13F1393795E689342AF3302912E1
                                                                            SHA-512:473600FBC051B22E9E7A6FBE1694ED736CF90DE5A8DF92AF1FA9A85DDD97379CFF0E8A5DF89937AE083BEBEFC81C407A907D0FB5ED9019BEDF6FB4703838321B
                                                                            Malicious:false
                                                                            Preview:Microsoft .NET Framework Assembly Registration Utility version 4.8.4084.0..for Microsoft .NET Framework version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information..

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):7.993597660806945
                                                                            TrID:
                                                                            • Win64 Executable Console Net Framework (206006/5) 48.58%
                                                                            • Win64 Executable Console (202006/5) 47.64%
                                                                            • Win64 Executable (generic) (12005/4) 2.83%
                                                                            • Generic Win/DOS Executable (2004/3) 0.47%
                                                                            • DOS Executable Generic (2002/1) 0.47%
                                                                            File name:RFQ-004282A.Teknolojileri A.S.exe
                                                                            File size:614'024 bytes
                                                                            MD5:6ea849b727eea7b7487aa0941258f8bd
                                                                            SHA1:6fca473e6498bde1b015e95fd612d156727a19fc
                                                                            SHA256:f6e159f0e6c27e334d951dd08dff7819878b7ac4318b5dcd1a2d9975062ab8d1
                                                                            SHA512:23442f983e18788f2ac5f3e4839fcbf4252964c50b0363798718b50f20129df73f9fa9d9df5407b5a18f2cb18c97bddc9dd66a5e3dc35dc0b43536090272a91a
                                                                            SSDEEP:12288:5yDylIzYVQVHLgGiV3zkkvaB/FXPD02tdbNkrIGd7F0oS4M+3+xe:5jsVrTiV3wddr02TbNM7Oo3M4
                                                                            TLSH:1BD42341727ABA6BF4A732F72EF028D881EFE00220C5A5BE836419550D65FE1FB050F6
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...fWXg.........."...0.88............... ....@...... ....................................`................................

                                                                            File Icon

                                                                            Icon Hash:00928e8e8686b000

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x400000
                                                                            Entrypoint Section:
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows cui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x67585766 [Tue Dec 10 14:59:50 2024 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            dec ebp
                                                                            pop edx
                                                                            nop
                                                                            add byte ptr [ebx], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax+eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x5f6.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x38380x3a00451a75f93dd85f43508b73bd631e03f3False0.5836476293103449data6.103245179246302IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x60000x5f60x600d7ff21e908b2048c690582e2b35a87b6False0.4205729166666667data4.181244061599353IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_VERSION0x60a00x36cdata0.3972602739726027
                                                                            RT_MANIFEST0x640c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 12, 2024 07:59:16.876620054 CET49704443192.168.2.5172.67.74.152
                                                                            Dec 12, 2024 07:59:16.876663923 CET44349704172.67.74.152192.168.2.5
                                                                            Dec 12, 2024 07:59:16.876787901 CET49704443192.168.2.5172.67.74.152
                                                                            Dec 12, 2024 07:59:16.882772923 CET49704443192.168.2.5172.67.74.152
                                                                            Dec 12, 2024 07:59:16.882787943 CET44349704172.67.74.152192.168.2.5
                                                                            Dec 12, 2024 07:59:18.102962971 CET44349704172.67.74.152192.168.2.5
                                                                            Dec 12, 2024 07:59:18.103060007 CET49704443192.168.2.5172.67.74.152
                                                                            Dec 12, 2024 07:59:18.140105963 CET49704443192.168.2.5172.67.74.152
                                                                            Dec 12, 2024 07:59:18.140194893 CET44349704172.67.74.152192.168.2.5
                                                                            Dec 12, 2024 07:59:18.140527964 CET44349704172.67.74.152192.168.2.5
                                                                            Dec 12, 2024 07:59:18.183568954 CET49704443192.168.2.5172.67.74.152
                                                                            Dec 12, 2024 07:59:18.534528017 CET49704443192.168.2.5172.67.74.152
                                                                            Dec 12, 2024 07:59:18.575341940 CET44349704172.67.74.152192.168.2.5
                                                                            Dec 12, 2024 07:59:18.859669924 CET44349704172.67.74.152192.168.2.5
                                                                            Dec 12, 2024 07:59:18.859834909 CET44349704172.67.74.152192.168.2.5
                                                                            Dec 12, 2024 07:59:18.860023975 CET49704443192.168.2.5172.67.74.152
                                                                            Dec 12, 2024 07:59:18.867222071 CET49704443192.168.2.5172.67.74.152
                                                                            Dec 12, 2024 07:59:20.299860954 CET4970621192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.419250965 CET2149706192.254.225.136192.168.2.5
                                                                            Dec 12, 2024 07:59:20.419986963 CET4970621192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.430951118 CET4970621192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.462173939 CET4970821192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.557717085 CET2149706192.254.225.136192.168.2.5
                                                                            Dec 12, 2024 07:59:20.557948112 CET4970621192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.658703089 CET2149708192.254.225.136192.168.2.5
                                                                            Dec 12, 2024 07:59:20.658862114 CET4970821192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.658986092 CET4970821192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.663913012 CET4970921192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.779001951 CET2149708192.254.225.136192.168.2.5
                                                                            Dec 12, 2024 07:59:20.779282093 CET4970821192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.783682108 CET2149709192.254.225.136192.168.2.5
                                                                            Dec 12, 2024 07:59:20.783849955 CET4970921192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.784024000 CET4970921192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.795898914 CET4971021192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.904386044 CET2149709192.254.225.136192.168.2.5
                                                                            Dec 12, 2024 07:59:20.904515982 CET4970921192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.915364981 CET2149710192.254.225.136192.168.2.5
                                                                            Dec 12, 2024 07:59:20.915466070 CET4971021192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:20.915643930 CET4971021192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 07:59:21.035958052 CET2149710192.254.225.136192.168.2.5
                                                                            Dec 12, 2024 07:59:21.036046028 CET4971021192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 08:00:56.326961994 CET4992321192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 08:00:56.503225088 CET2149923192.254.225.136192.168.2.5
                                                                            Dec 12, 2024 08:00:56.503329039 CET4992321192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 08:00:56.503664017 CET4992321192.168.2.5192.254.225.136
                                                                            Dec 12, 2024 08:00:56.623240948 CET2149923192.254.225.136192.168.2.5
                                                                            Dec 12, 2024 08:00:56.623343945 CET4992321192.168.2.5192.254.225.136

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 12, 2024 07:59:16.728867054 CET6293853192.168.2.51.1.1.1
                                                                            Dec 12, 2024 07:59:16.866036892 CET53629381.1.1.1192.168.2.5
                                                                            Dec 12, 2024 07:59:19.489837885 CET5007653192.168.2.51.1.1.1
                                                                            Dec 12, 2024 07:59:20.298454046 CET53500761.1.1.1192.168.2.5

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Dec 12, 2024 07:59:16.728867054 CET192.168.2.51.1.1.10xb44eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                            Dec 12, 2024 07:59:19.489837885 CET192.168.2.51.1.1.10x995fStandard query (0)ftp.ercolina-usa.comA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Dec 12, 2024 07:59:16.866036892 CET1.1.1.1192.168.2.50xb44eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                            Dec 12, 2024 07:59:16.866036892 CET1.1.1.1192.168.2.50xb44eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                            Dec 12, 2024 07:59:16.866036892 CET1.1.1.1192.168.2.50xb44eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                            Dec 12, 2024 07:59:20.298454046 CET1.1.1.1192.168.2.50x995fNo error (0)ftp.ercolina-usa.comercolina-usa.comCNAME (Canonical name)IN (0x0001)false
                                                                            Dec 12, 2024 07:59:20.298454046 CET1.1.1.1192.168.2.50x995fNo error (0)ercolina-usa.com192.254.225.136A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • api.ipify.org

                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.549704172.67.74.1524436564C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-12 06:59:18 UTC155OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                            Host: api.ipify.org
                                                                            Connection: Keep-Alive
                                                                            2024-12-12 06:59:18 UTC424INHTTP/1.1 200 OK
                                                                            Date: Thu, 12 Dec 2024 06:59:18 GMT
                                                                            Content-Type: text/plain
                                                                            Content-Length: 12
                                                                            Connection: close
                                                                            Vary: Origin
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Server: cloudflare
                                                                            CF-RAY: 8f0bd4b9dcec4207-EWR
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1572&rtt_var=606&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1782661&cwnd=183&unsent_bytes=0&cid=03bd3d6b07783830&ts=769&x=0"
                                                                            2024-12-12 06:59:18 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35
                                                                            Data Ascii: 8.46.123.175


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:01:59:11
                                                                            Start date:12/12/2024
                                                                            Path:C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe"
                                                                            Imagebase:0x29d8cda0000
                                                                            File size:614'024 bytes
                                                                            MD5 hash:6EA849B727EEA7B7487AA0941258F8BD
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2405086703.0000029D8F0FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2406340649.0000029D9EC01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2406340649.0000029D9EC01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:1
                                                                            Start time:01:59:11
                                                                            Start date:12/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:3
                                                                            Start time:01:59:13
                                                                            Start date:12/12/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-004282A.Teknolojileri A.S.exe" -Force
                                                                            Imagebase:0x7ff7be880000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:4
                                                                            Start time:01:59:13
                                                                            Start date:12/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:5
                                                                            Start time:01:59:14
                                                                            Start date:12/12/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                                                            Imagebase:0xaa0000
                                                                            File size:65'440 bytes
                                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4534794100.0000000002E3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4534794100.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4534794100.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4532768397.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4532768397.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:8
                                                                            Start time:01:59:15
                                                                            Start date:12/12/2024
                                                                            Path:C:\Windows\System32\WerFault.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\WerFault.exe -u -p 2928 -s 1132
                                                                            Imagebase:0x7ff6cbb20000
                                                                            File size:570'736 bytes
                                                                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:11
                                                                            Start time:01:59:30
                                                                            Start date:12/12/2024
                                                                            Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                                                                            Imagebase:0x560000
                                                                            File size:65'440 bytes
                                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Antivirus matches:
                                                                            • Detection: 0%, ReversingLabs
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:12
                                                                            Start time:01:59:30
                                                                            Start date:12/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:13
                                                                            Start time:01:59:38
                                                                            Start date:12/12/2024
                                                                            Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                                                                            Imagebase:0x3d0000
                                                                            File size:65'440 bytes
                                                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:14
                                                                            Start time:01:59:38
                                                                            Start date:12/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:15.7%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:3
                                                                              Total number of Limit Nodes:0
                                                                              execution_graph 13832 7ff848f2049a 13833 7ff848f20d10 FreeConsole 13832->13833 13835 7ff848f20d8e 13833->13835

                                                                              Executed Functions

                                                                              Function 00007FF8490306BB Relevance: 8.3, Strings: 5, Instructions: 2079COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408788229.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff849030000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0H$8H$@H$A$H
                                                                              • API String ID: 0-677754920
                                                                              • Opcode ID: 88c6c750396dd64131433ec89ad2970e58222ad504ddea2ee2f38d20199fe7a3
                                                                              • Instruction ID: 2a0f20b29ff0514bd7e8c26bd61b8f3035b307fa149586fd6d80ce12bea66267
                                                                              • Opcode Fuzzy Hash: 88c6c750396dd64131433ec89ad2970e58222ad504ddea2ee2f38d20199fe7a3
                                                                              • Instruction Fuzzy Hash: D6E2D33180EAC58FEB76EB2888555A47FF0FF56340B1905EFC08DCB197DA29A84AC751
                                                                              Function 00007FF848F2213F Relevance: 4.9, Strings: 2, Instructions: 2421COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408288092.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f20000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: L$fL_H
                                                                              • API String ID: 0-3757094450
                                                                              • Opcode ID: 71c2d25fc18b9b9f4ab6b9597a881eb7fbf4f7436b5d734e258a2e110a72bdb6
                                                                              • Instruction ID: 047b93e8c4f023a9400f2064b21dadcfc5630c02166093672aa755720964304d
                                                                              • Opcode Fuzzy Hash: 71c2d25fc18b9b9f4ab6b9597a881eb7fbf4f7436b5d734e258a2e110a72bdb6
                                                                              • Instruction Fuzzy Hash: DFE2C231A1C90A8FEB98FB2C9459A7477D1FF98790F1401BAD40AC72E6DF25EC428785
                                                                              Function 00007FF848F22F80 Relevance: 2.1, Strings: 1, Instructions: 844COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 971 7ff848f22f80-7ff848f5160e call 7ff848f4da90 975 7ff848f5162b 971->975 976 7ff848f51610-7ff848f51629 971->976 978 7ff848f5162d-7ff848f5163a call 7ff848f4d328 975->978 976->978 980 7ff848f5163f-7ff848f5164a 978->980 981 7ff848f5164c-7ff848f51665 980->981 982 7ff848f5166a-7ff848f516a0 call 7ff848f4d330 980->982 981->982 985 7ff848f51667-7ff848f51668 981->985 988 7ff848f522ed-7ff848f522f2 982->988 989 7ff848f516a6-7ff848f516b5 982->989 985->982 992 7ff848f522f8-7ff848f52305 988->992 993 7ff848f516c0-7ff848f516f1 988->993 990 7ff848f516bb 989->990 991 7ff848f52310-7ff848f52318 989->991 994 7ff848f52859-7ff848f5286d 990->994 991->994 997 7ff848f5231e-7ff848f52351 991->997 992->993 996 7ff848f5230b 992->996 998 7ff848f516f6-7ff848f516fe 993->998 999 7ff848f516f3-7ff848f516f4 993->999 996->994 1000 7ff848f5286e-7ff848f528b3 997->1000 1001 7ff848f52357-7ff848f5237e 997->1001 1002 7ff848f51714-7ff848f52293 call 7ff848f22808 998->1002 1003 7ff848f51700-7ff848f5170f call 7ff848f22f90 998->1003 999->998 1015 7ff848f528b5-7ff848f528b7 1000->1015 1008 7ff848f52385-7ff848f52389 1001->1008 1009 7ff848f52380-7ff848f52383 1001->1009 1020 7ff848f522cf-7ff848f522d6 1002->1020 1021 7ff848f52295-7ff848f5229c 1002->1021 1003->1002 1010 7ff848f5238c-7ff848f5238f 1008->1010 1009->1010 1013 7ff848f52395-7ff848f523c2 call 7ff848f386d0 call 7ff848f38780 1010->1013 1014 7ff848f52391-7ff848f52393 1010->1014 1017 7ff848f523d7-7ff848f523ee 1013->1017 1044 7ff848f523c4-7ff848f523d5 call 7ff848f21f58 1013->1044 1014->1017 1015->1015 1019 7ff848f528b9-7ff848f528c9 call 7ff848f4d330 1015->1019 1017->994 1031 7ff848f523f4-7ff848f523f8 1017->1031 1035 7ff848f528d5-7ff848f528da 1019->1035 1024 7ff848f522d8-7ff848f522e6 call 7ff848f4d320 1020->1024 1026 7ff848f5229e-7ff848f522b5 1021->1026 1027 7ff848f522c6-7ff848f522cd 1021->1027 1024->988 1026->1024 1032 7ff848f522b7-7ff848f522c4 call 7ff848f4d320 1026->1032 1027->1024 1031->994 1037 7ff848f523fe-7ff848f52485 1031->1037 1032->991 1040 7ff848f528dc-7ff848f528e9 1035->1040 1041 7ff848f528cb-7ff848f528d0 call 7ff848f4d320 1035->1041 1052 7ff848f524ea-7ff848f524ff 1037->1052 1053 7ff848f52487-7ff848f52494 1037->1053 1040->1041 1045 7ff848f528eb-7ff848f528f4 1040->1045 1041->1035 1044->1017 1054 7ff848f527fb-7ff848f52800 1052->1054 1053->1052 1055 7ff848f52496-7ff848f524a4 1053->1055 1056 7ff848f52504-7ff848f5250e 1054->1056 1057 7ff848f52806-7ff848f52813 1054->1057 1055->1000 1058 7ff848f524aa-7ff848f524b8 1055->1058 1059 7ff848f5269e-7ff848f526b1 1056->1059 1060 7ff848f52514-7ff848f52522 1056->1060 1057->1056 1061 7ff848f52819-7ff848f52825 1057->1061 1062 7ff848f524c8-7ff848f524e5 call 7ff848f22808 1058->1062 1063 7ff848f524ba-7ff848f524c3 call 7ff848f22810 1058->1063 1070 7ff848f526b3 1059->1070 1060->1059 1064 7ff848f52528-7ff848f5264c call 7ff848f41558 * 2 call 7ff848f422f0 1060->1064 1061->1000 1066 7ff848f52827-7ff848f52854 call 7ff848f22808 1061->1066 1062->994 1063->1062 1108 7ff848f5264e-7ff848f52684 call 7ff848f47b10 * 2 1064->1108 1109 7ff848f52686 1064->1109 1066->994 1070->1070 1073 7ff848f526b5-7ff848f5279b call 7ff848f422f0 1070->1073 1099 7ff848f5279d-7ff848f527cc call 7ff848f47b10 * 2 1073->1099 1100 7ff848f527ce-7ff848f527cf 1073->1100 1103 7ff848f527d1-7ff848f527f6 call 7ff848f22808 call 7ff848f4d320 1099->1103 1100->1103 1103->1054 1111 7ff848f52688-7ff848f52699 1108->1111 1109->1111 1111->1103
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408288092.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f20000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (
                                                                              • API String ID: 0-3887548279
                                                                              • Opcode ID: e1eab4087152dc98ad877d7b675b07f8fefcf65dde91463afc0f6b979374cc94
                                                                              • Instruction ID: e37e167844d048760440d30806aa9eb96a25e8334210089d479aeedfb838f239
                                                                              • Opcode Fuzzy Hash: e1eab4087152dc98ad877d7b675b07f8fefcf65dde91463afc0f6b979374cc94
                                                                              • Instruction Fuzzy Hash: AD424030A1CA498FEB98EB189495AB5B7E1FFA8340F14467ED04EC32D2DF39E8458745
                                                                              Function 00007FF848F20A74 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1509 7ff848f20a74-7ff848f20a84 1510 7ff848f20aba-7ff848f20b3e call 7ff848f20558 1509->1510 1511 7ff848f20a86-7ff848f20a97 1509->1511 1514 7ff848f20b3f-7ff848f20b61 1510->1514 1512 7ff848f20a99-7ff848f20aaa 1511->1512 1513 7ff848f20ab1-7ff848f20ab9 1511->1513 1512->1514 1515 7ff848f20ab0 1512->1515 1513->1510 1518 7ff848f20c2f-7ff848f20c76 1514->1518 1519 7ff848f20b67-7ff848f20c2e call 7ff848f20568 1514->1519 1515->1513 1531 7ff848f20c7b-7ff848f20c8c 1518->1531 1519->1518
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408288092.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f20000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: @wH
                                                                              • API String ID: 0-2618975748
                                                                              • Opcode ID: c566073a4a7b59938fb74026dafaa22277f1eecc7f23b0344aa78e8070045fa4
                                                                              • Instruction ID: 0814952b52776abfa082469769ae469275d9a19a4cefeee358805c56178913f4
                                                                              • Opcode Fuzzy Hash: c566073a4a7b59938fb74026dafaa22277f1eecc7f23b0344aa78e8070045fa4
                                                                              • Instruction Fuzzy Hash: 20712632E0EA859FD34CFB7C946A5747BE1EFAA210B0445FEC04AC76E3DE1998028744
                                                                              Function 00007FF848F22F48 Relevance: 1.2, Instructions: 1199COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408288092.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f20000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1f9e29747cbee12d5128de5025bede2dcc1d548ec182f4329ece50bc11f6585e
                                                                              • Instruction ID: cfd7facefdcc7d90060df71e9a5dd9b4735beade9934270528988ed88960393d
                                                                              • Opcode Fuzzy Hash: 1f9e29747cbee12d5128de5025bede2dcc1d548ec182f4329ece50bc11f6585e
                                                                              • Instruction Fuzzy Hash: 7B82AF31A1CA4A9FEB98FB2C9455675B3D1FF98384F1441B9D84EC72C7DF28A8428784
                                                                              Function 00007FF848F4B460 Relevance: .9, Instructions: 862COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408288092.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f20000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b9215a5f74ea8b77228e2f280853dda39d4d75e6299fbc0ba82d0e93d6253457
                                                                              • Instruction ID: 08b5b1c9e9246b0f170bd923fa22c25ea42f7589c63c6120654cd17812a439e7
                                                                              • Opcode Fuzzy Hash: b9215a5f74ea8b77228e2f280853dda39d4d75e6299fbc0ba82d0e93d6253457
                                                                              • Instruction Fuzzy Hash: B1425D31A1CA068FEB98EB18D091A76B3E1FFA4750F14457AD04EC36C6DF29F8468784
                                                                              Function 00007FF848F4D008 Relevance: .8, Instructions: 758COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408288092.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f20000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9bcbcb697e59a6438c1b29866b56cd202f1e10f643d1aa6b3a34eaafc9706d57
                                                                              • Instruction ID: 5c78dfb6e74840fbc119b3e072931511b244f9b5f90efc960dc25fbc105b159a
                                                                              • Opcode Fuzzy Hash: 9bcbcb697e59a6438c1b29866b56cd202f1e10f643d1aa6b3a34eaafc9706d57
                                                                              • Instruction Fuzzy Hash: F332083290E556AFE754BB2CA4403F677A0EF907A9F18417BD04D8A1C3DF1DA886C798
                                                                              Function 00007FF848F4B3E8 Relevance: .8, Instructions: 751COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408288092.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f20000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 62e1dd88c994f1a5ae39484acc3e07ec50f0d0ec4d33fbad3cd965c48e44072e
                                                                              • Instruction ID: b3136879bdaec9f573627278f43dbe577db1ac2f31df9881479028c9c60ad9d9
                                                                              • Opcode Fuzzy Hash: 62e1dd88c994f1a5ae39484acc3e07ec50f0d0ec4d33fbad3cd965c48e44072e
                                                                              • Instruction Fuzzy Hash: E8422E30A18A098FEB98EB18C494BB977E1FF64744F1042BAD44ED7292DF35E885CB45
                                                                              Function 00007FF848F22CF8 Relevance: .7, Instructions: 708COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408288092.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f20000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: db5a21979ad9bf11997f1a2e25d3ed66836e5720e4107dd1e1c9f262bdc41d5b
                                                                              • Instruction ID: 054207ed9159be8f5fd4c436b635a528f98fc9b03f34f032952f838c002e9172
                                                                              • Opcode Fuzzy Hash: db5a21979ad9bf11997f1a2e25d3ed66836e5720e4107dd1e1c9f262bdc41d5b
                                                                              • Instruction Fuzzy Hash: 5122D330A1CA465FF758BB2894522B573D1FFA8B84F54457EE44ED32C3DF2CA8068689
                                                                              Function 00007FF848F20CC9 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1342 7ff848f20cc9-7ff848f20ccf 1343 7ff848f20cda-7ff848f20ceb 1342->1343 1344 7ff848f20cd1-7ff848f20cd9 1342->1344 1345 7ff848f20ced-7ff848f20cf5 1343->1345 1346 7ff848f20cf6-7ff848f20d8c FreeConsole 1343->1346 1344->1343 1345->1346 1350 7ff848f20d8e 1346->1350 1351 7ff848f20d94-7ff848f20dbb 1346->1351 1350->1351
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408288092.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f20000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID: ConsoleFree
                                                                              • String ID:
                                                                              • API String ID: 771614528-0
                                                                              • Opcode ID: df061017792604168a25ed2cc4492774c2586b05c8c2e6cdd03eb2ca688f6dba
                                                                              • Instruction ID: 75853cd3020953bc5ec7b9647f0b1f2b32e0043de554f9dbae53f3be137b83a1
                                                                              • Opcode Fuzzy Hash: df061017792604168a25ed2cc4492774c2586b05c8c2e6cdd03eb2ca688f6dba
                                                                              • Instruction Fuzzy Hash: AE31F87190DB888FD729EB68D845BE97BF0EF52321F04426FD089C3193DB68A445CB51
                                                                              Function 00007FF848F2049A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1405 7ff848f2049a-7ff848f20d52 1408 7ff848f20d5a-7ff848f20d8c FreeConsole 1405->1408 1409 7ff848f20d8e 1408->1409 1410 7ff848f20d94-7ff848f20dbb 1408->1410 1409->1410
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408288092.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f20000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID: ConsoleFree
                                                                              • String ID:
                                                                              • API String ID: 771614528-0
                                                                              • Opcode ID: 2f0b61c4fb95b9eda5aa55d321ddf673c1909f7961363ca435b76eb1dc1bb53a
                                                                              • Instruction ID: d03c71a2a14ae5af9635325112f107394d63099bb305176c89b8493d552dda49
                                                                              • Opcode Fuzzy Hash: 2f0b61c4fb95b9eda5aa55d321ddf673c1909f7961363ca435b76eb1dc1bb53a
                                                                              • Instruction Fuzzy Hash: B9217F7190CA0C9FDB28EF99D84ABFABBE0EB55321F00422ED04AD3552DB75A449CB51
                                                                              Function 00007FF849030001 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408788229.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff849030000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: @wH
                                                                              • API String ID: 0-2618975748
                                                                              • Opcode ID: e4c3e1790d2f97aef96691390db63835313644ca50ff89c7459a715bec029ddd
                                                                              • Instruction ID: 86ba98b186cebfb08bfc9ff4aab10a060e2fa598ce1f77431dfcd21fc8ae4cd4
                                                                              • Opcode Fuzzy Hash: e4c3e1790d2f97aef96691390db63835313644ca50ff89c7459a715bec029ddd
                                                                              • Instruction Fuzzy Hash: A1410122A0EAC95FEBBAAB2958646747BF1EF56250F0C00FBC44DC71E7ED099C458352
                                                                              Function 00007FF849031519 Relevance: .3, Instructions: 256COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408788229.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff849030000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7b41b77887617d30a665a20fc058d83b52e452c4fce2c7349ce1cf2b71111e90
                                                                              • Instruction ID: 2b1c62705afcaad2957fab86b63a99ba7b089b06283a7b3c414d28d831f2077d
                                                                              • Opcode Fuzzy Hash: 7b41b77887617d30a665a20fc058d83b52e452c4fce2c7349ce1cf2b71111e90
                                                                              • Instruction Fuzzy Hash: E671C43190DAC98FDBA6EB2488659A57BB0FF5A340B1904FFC04ECB193DA29E845C741
                                                                              Function 00007FF849031660 Relevance: .1, Instructions: 111COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408788229.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff849030000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b9b52bf6155dfef61e785d7feca7da2660feded01f3a107ab19c99d2f9f85b49
                                                                              • Instruction ID: 8b200047be1a9d726a7c904bb8a723d42ea3241d389efd6e9b37b57069a48b0c
                                                                              • Opcode Fuzzy Hash: b9b52bf6155dfef61e785d7feca7da2660feded01f3a107ab19c99d2f9f85b49
                                                                              • Instruction Fuzzy Hash: A631D33590C98D8FDFA8EF18C8958B9B7A1FF98340B1805BAD04EC7195DE35F8818780
                                                                              Function 00007FF8490303A3 Relevance: .0, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408788229.00007FF849030000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849030000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff849030000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: de7fc37752d459df57ba4ea2a253114c46d1864b1193711c133b67418dbd6997
                                                                              • Instruction ID: ef18a5aa5801ad3207b1232a8a5d8e633ce03254257efb97ec41f2978d9582b2
                                                                              • Opcode Fuzzy Hash: de7fc37752d459df57ba4ea2a253114c46d1864b1193711c133b67418dbd6997
                                                                              • Instruction Fuzzy Hash: F8F0A732B1CA4C4FD798DA1CA845179B7E2EBD913674983BFD08EC7166DA2598468304

                                                                              Non-executed Functions

                                                                              Function 00007FF848F4B450 Relevance: 1.8, Strings: 1, Instructions: 593COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2408288092.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f20000_RFQ-004282A.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: wK_
                                                                              • API String ID: 0-1872429229
                                                                              • Opcode ID: 2cf9d697aaab001e18a1af6a067cd85b1f9c60722480393fe031c366aa126da1
                                                                              • Instruction ID: 38ac183a1e106f497e804d0b8035157961a8fc1226877db5794e343c9983e6bf
                                                                              • Opcode Fuzzy Hash: 2cf9d697aaab001e18a1af6a067cd85b1f9c60722480393fe031c366aa126da1
                                                                              • Instruction Fuzzy Hash: FEF12B37A1E5666EE750776CB4450EA7B60EF907B9F080377D68CDE083DB1C648682E8

                                                                              Execution Graph

                                                                              Execution Coverage:13.3%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:187
                                                                              Total number of Limit Nodes:23
                                                                              execution_graph 37824 10b0848 37826 10b084e 37824->37826 37825 10b091b 37826->37825 37829 10b145b 37826->37829 37836 10b1340 37826->37836 37831 10b1356 37829->37831 37832 10b1463 37829->37832 37830 10b1454 37830->37826 37831->37830 37834 10b145b 4 API calls 37831->37834 37842 10b8219 37831->37842 37848 66e3a98 37831->37848 37832->37826 37834->37831 37838 10b1356 37836->37838 37837 10b1454 37837->37826 37838->37837 37839 10b145b 4 API calls 37838->37839 37840 66e3a98 2 API calls 37838->37840 37841 10b8219 2 API calls 37838->37841 37839->37838 37840->37838 37841->37838 37844 10b8223 37842->37844 37843 10b82d9 37843->37831 37844->37843 37854 66ffca0 37844->37854 37863 66ffa50 37844->37863 37867 66ffa60 37844->37867 37849 66e3aaa 37848->37849 37852 66e3b5b 37849->37852 37889 66e0e24 37849->37889 37851 66e3b21 37894 66e0e44 37851->37894 37852->37831 37857 66ffcaa 37854->37857 37858 66ffa75 37854->37858 37855 66ffc8a 37855->37843 37856 66ffe1b 37856->37843 37857->37856 37871 10bef80 37857->37871 37874 10bef90 37857->37874 37858->37855 37860 66ffca0 GlobalMemoryStatusEx GlobalMemoryStatusEx 37858->37860 37859 66ffd99 37859->37843 37860->37858 37865 66ffa75 37863->37865 37864 66ffc8a 37864->37843 37865->37864 37866 66ffca0 GlobalMemoryStatusEx GlobalMemoryStatusEx 37865->37866 37866->37865 37869 66ffa75 37867->37869 37868 66ffc8a 37868->37843 37869->37868 37870 66ffca0 GlobalMemoryStatusEx GlobalMemoryStatusEx 37869->37870 37870->37869 37877 10befb8 37871->37877 37872 10bef9e 37872->37859 37875 10bef9e 37874->37875 37876 10befb8 2 API calls 37874->37876 37875->37859 37876->37875 37878 10beffd 37877->37878 37879 10befd5 37877->37879 37884 10befb8 GlobalMemoryStatusEx 37878->37884 37886 10bf0a0 37878->37886 37879->37872 37880 10bf01e 37880->37872 37881 10bf01a 37881->37880 37882 10bf0e6 GlobalMemoryStatusEx 37881->37882 37883 10bf116 37882->37883 37883->37872 37884->37881 37887 10bf0e6 GlobalMemoryStatusEx 37886->37887 37888 10bf116 37887->37888 37888->37881 37890 66e0e2f 37889->37890 37898 66e4c58 37890->37898 37904 66e4c43 37890->37904 37891 66e3cfa 37891->37851 37895 66e0e4f 37894->37895 37897 66eb8e3 37895->37897 37939 66eb0dc 37895->37939 37897->37852 37899 66e4c83 37898->37899 37910 66e51b0 37899->37910 37900 66e4d06 37902 66e4d32 37900->37902 37915 66e3a60 37900->37915 37905 66e4c50 37904->37905 37909 66e51b0 GetModuleHandleW 37905->37909 37906 66e4d06 37907 66e3a60 GetModuleHandleW 37906->37907 37908 66e4d32 37906->37908 37907->37908 37909->37906 37911 66e51b4 37910->37911 37911->37900 37912 66e528e 37911->37912 37919 66e5340 37911->37919 37929 66e5350 37911->37929 37916 66e5690 GetModuleHandleW 37915->37916 37918 66e5705 37916->37918 37918->37902 37920 66e5344 37919->37920 37921 66e3a60 GetModuleHandleW 37920->37921 37922 66e5389 37920->37922 37921->37922 37923 66e3a60 GetModuleHandleW 37922->37923 37928 66e5554 37922->37928 37924 66e54da 37923->37924 37925 66e3a60 GetModuleHandleW 37924->37925 37924->37928 37926 66e5528 37925->37926 37927 66e3a60 GetModuleHandleW 37926->37927 37926->37928 37927->37928 37928->37912 37930 66e5352 37929->37930 37931 66e3a60 GetModuleHandleW 37930->37931 37932 66e5389 37930->37932 37931->37932 37933 66e3a60 GetModuleHandleW 37932->37933 37938 66e5554 37932->37938 37934 66e54da 37933->37934 37935 66e3a60 GetModuleHandleW 37934->37935 37934->37938 37936 66e5528 37935->37936 37937 66e3a60 GetModuleHandleW 37936->37937 37936->37938 37937->37938 37938->37912 37940 66eb8f8 KiUserCallbackDispatcher 37939->37940 37942 66eb966 37940->37942 37942->37895 37943 66e5688 37944 66e5690 GetModuleHandleW 37943->37944 37946 66e5705 37944->37946 37947 66ea328 DuplicateHandle 37948 66ea3be 37947->37948 37949 66ebf08 37950 66ebf62 OleGetClipboard 37949->37950 37951 66ebfa2 37950->37951 37966 106d030 37967 106d048 37966->37967 37968 106d0a2 37967->37968 37975 66e475c 37967->37975 37983 66e68f0 37967->37983 37989 66e6a13 37967->37989 37997 66eaf18 37967->37997 38005 66e68eb 37967->38005 38011 66e474c 37967->38011 37976 66e4767 37975->37976 37977 66eaf89 37976->37977 37979 66eaf79 37976->37979 38023 66ea0ac 37977->38023 38015 66eb478 37979->38015 38019 66eb4b8 37979->38019 37980 66eaf87 37980->37980 37984 66e6916 37983->37984 37985 66e474c GetModuleHandleW 37984->37985 37986 66e6922 37985->37986 37987 66e475c CallWindowProcW 37986->37987 37988 66e6937 37987->37988 37988->37968 37990 66e6a1c 37989->37990 37991 66e6a1e 37989->37991 37990->37991 37994 66e6a2a 37990->37994 38027 66e4784 37991->38027 37993 66e6a27 37993->37968 37995 66e3a60 GetModuleHandleW 37994->37995 37996 66e6af7 37994->37996 37995->37996 37999 66eaf28 37997->37999 37998 66eaf89 38000 66ea0ac CallWindowProcW 37998->38000 37999->37998 38001 66eaf79 37999->38001 38002 66eaf87 38000->38002 38003 66eb478 CallWindowProcW 38001->38003 38004 66eb4b8 CallWindowProcW 38001->38004 38002->38002 38003->38002 38004->38002 38006 66e68f0 38005->38006 38007 66e474c GetModuleHandleW 38006->38007 38008 66e6922 38007->38008 38009 66e475c CallWindowProcW 38008->38009 38010 66e6937 38009->38010 38010->37968 38012 66e4757 38011->38012 38013 66e4784 GetModuleHandleW 38012->38013 38014 66e6a27 38013->38014 38014->37968 38016 66eb47d 38015->38016 38017 66ea0ac CallWindowProcW 38016->38017 38018 66eb5a2 38016->38018 38017->38016 38018->37980 38021 66eb4c6 38019->38021 38020 66ea0ac CallWindowProcW 38020->38021 38021->38020 38022 66eb5a2 38021->38022 38022->37980 38024 66ea0b7 38023->38024 38025 66eb652 CallWindowProcW 38024->38025 38026 66eb601 38024->38026 38025->38026 38026->37980 38028 66e478f 38027->38028 38029 66e3a60 GetModuleHandleW 38028->38029 38030 66e6af7 38028->38030 38029->38030 38031 66e6738 38032 66e673a CreateWindowExW 38031->38032 38034 66e685c 38032->38034 38034->38034 37952 10b8040 37953 10b8086 DeleteFileW 37952->37953 37955 10b80bf 37953->37955 37956 66ea0e0 37957 66ea126 GetCurrentProcess 37956->37957 37959 66ea178 GetCurrentThread 37957->37959 37960 66ea171 37957->37960 37961 66ea1ae 37959->37961 37962 66ea1b5 GetCurrentProcess 37959->37962 37960->37959 37961->37962 37965 66ea1eb 37962->37965 37963 66ea213 GetCurrentThreadId 37964 66ea244 37963->37964 37965->37963 38035 66edcd0 38036 66edd14 SetWindowsHookExA 38035->38036 38038 66edd5a 38036->38038 38039 66ebd70 38040 66ebd7b 38039->38040 38041 66ebd8b 38040->38041 38046 66eb314 38040->38046 38043 66ebdab 38041->38043 38044 66ebdc3 OleInitialize 38041->38044 38045 66ebe24 38044->38045 38047 66ebdc0 OleInitialize 38046->38047 38049 66ebe24 38047->38049 38049->38041

                                                                              Executed Functions

                                                                              Function 066F3570 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 124 66f3570-66f3591 125 66f3593-66f3596 124->125 126 66f35bc-66f35bf 125->126 127 66f3598-66f35b7 125->127 128 66f35c5-66f35e4 126->128 129 66f3d60-66f3d62 126->129 127->126 137 66f35fd-66f3607 128->137 138 66f35e6-66f35e9 128->138 130 66f3d69-66f3d6c 129->130 131 66f3d64 129->131 130->125 133 66f3d72-66f3d7b 130->133 131->130 142 66f360d-66f361e call 66f315c 137->142 138->137 139 66f35eb-66f35fb 138->139 139->142 144 66f3623-66f3628 142->144 145 66f362a-66f3630 144->145 146 66f3635-66f3912 144->146 145->133 167 66f3918-66f39c7 146->167 168 66f3d52-66f3d5f 146->168 177 66f39c9-66f39ee 167->177 178 66f39f0 167->178 180 66f39f9-66f3a0c call 66f3168 177->180 178->180 183 66f3d39-66f3d45 180->183 184 66f3a12-66f3a34 call 66f3174 180->184 183->167 186 66f3d4b 183->186 184->183 188 66f3a3a-66f3a44 184->188 186->168 188->183 189 66f3a4a-66f3a55 188->189 189->183 190 66f3a5b-66f3b31 189->190 202 66f3b3f-66f3b6f 190->202 203 66f3b33-66f3b35 190->203 207 66f3b7d-66f3b89 202->207 208 66f3b71-66f3b73 202->208 203->202 209 66f3b8b-66f3b8f 207->209 210 66f3be9-66f3bed 207->210 208->207 209->210 213 66f3b91-66f3bbb 209->213 211 66f3d2a-66f3d33 210->211 212 66f3bf3-66f3c2f 210->212 211->183 211->190 225 66f3c3d-66f3c4b 212->225 226 66f3c31-66f3c33 212->226 220 66f3bbd-66f3bbf 213->220 221 66f3bc9-66f3be6 call 66f3180 213->221 220->221 221->210 228 66f3c4d-66f3c58 225->228 229 66f3c62-66f3c6d 225->229 226->225 228->229 232 66f3c5a 228->232 233 66f3c6f-66f3c75 229->233 234 66f3c85-66f3c96 229->234 232->229 235 66f3c79-66f3c7b 233->235 236 66f3c77 233->236 238 66f3cae-66f3cba 234->238 239 66f3c98-66f3c9e 234->239 235->234 236->234 243 66f3cbc-66f3cc2 238->243 244 66f3cd2-66f3d23 238->244 240 66f3ca2-66f3ca4 239->240 241 66f3ca0 239->241 240->238 241->238 245 66f3cc6-66f3cc8 243->245 246 66f3cc4 243->246 244->211 245->244 246->244
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $pq$$pq$$pq$$pq$$pq$$pq
                                                                              • API String ID: 0-3947858918
                                                                              • Opcode ID: cee7f56e9f0e53e948e6c6902dad004dcd6bbb2ab51d30c7805b288c8fdc5e7b
                                                                              • Instruction ID: 864a7f677fa05469d8628d89194d8becfb5be33b995b14a7649d487c893925fd
                                                                              • Opcode Fuzzy Hash: cee7f56e9f0e53e948e6c6902dad004dcd6bbb2ab51d30c7805b288c8fdc5e7b
                                                                              • Instruction Fuzzy Hash: B8322E71E1061ACFCB14EB75C89059DB7B2FFD9300F61876AD509AB314EB70AA85CB90
                                                                              Function 066F7E68 Relevance: 3.0, Strings: 2, Instructions: 474COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 841 66f7e68-66f7e86 842 66f7e88-66f7e8b 841->842 843 66f7e8d-66f7ea7 842->843 844 66f7eac-66f7eaf 842->844 843->844 845 66f7ed2-66f7ed5 844->845 846 66f7eb1-66f7ecd 844->846 847 66f7ed7-66f7ee1 845->847 848 66f7ee2-66f7ee5 845->848 846->845 851 66f7efc-66f7efe 848->851 852 66f7ee7-66f7ef5 848->852 853 66f7f05-66f7f08 851->853 854 66f7f00 851->854 858 66f7f0e-66f7f24 852->858 859 66f7ef7 852->859 853->842 853->858 854->853 861 66f813f-66f8149 858->861 862 66f7f2a-66f7f33 858->862 859->851 863 66f814a-66f8158 862->863 864 66f7f39-66f7f56 862->864 867 66f81af-66f81bc 863->867 868 66f815a-66f817f 863->868 872 66f812c-66f8139 864->872 873 66f7f5c-66f7f84 864->873 871 66f81c7-66f81c9 867->871 870 66f8181-66f8184 868->870 874 66f81a7-66f81aa 870->874 875 66f8186-66f81a2 870->875 877 66f81cb-66f81d1 871->877 878 66f81e1-66f81e5 871->878 872->861 872->862 873->872 898 66f7f8a-66f7f93 873->898 874->867 876 66f8257-66f825a 874->876 875->874 881 66f848f-66f8491 876->881 882 66f8260-66f826f 876->882 879 66f81d5-66f81d7 877->879 880 66f81d3 877->880 883 66f81e7-66f81f1 878->883 884 66f81f3 878->884 879->878 880->878 888 66f8498-66f849b 881->888 889 66f8493 881->889 896 66f828e-66f82d2 882->896 897 66f8271-66f828c 882->897 887 66f81f8-66f81fa 883->887 884->887 892 66f81fc-66f81ff 887->892 893 66f8211-66f824a 887->893 888->870 894 66f84a1-66f84aa 888->894 889->888 892->894 893->882 919 66f824c-66f8256 893->919 904 66f82d8-66f82e9 896->904 905 66f8463-66f8479 896->905 897->896 898->863 899 66f7f99-66f7fb5 898->899 907 66f7fbb-66f7fe5 899->907 908 66f811a-66f8126 899->908 914 66f82ef-66f830c 904->914 915 66f844e-66f845d 904->915 905->881 924 66f7feb-66f8013 907->924 925 66f8110-66f8115 907->925 908->872 908->898 914->915 926 66f8312-66f8408 call 66f6690 914->926 915->904 915->905 924->925 932 66f8019-66f8047 924->932 925->908 975 66f840a-66f8414 926->975 976 66f8416 926->976 932->925 937 66f804d-66f8056 932->937 937->925 939 66f805c-66f808e 937->939 946 66f8099-66f80b5 939->946 947 66f8090-66f8094 939->947 946->908 950 66f80b7-66f810e call 66f6690 946->950 947->925 949 66f8096 947->949 949->946 950->908 977 66f841b-66f841d 975->977 976->977 977->915 978 66f841f-66f8424 977->978 979 66f8426-66f8430 978->979 980 66f8432 978->980 981 66f8437-66f8439 979->981 980->981 981->915 982 66f843b-66f8447 981->982 982->915
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $pq$$pq
                                                                              • API String ID: 0-1409352612
                                                                              • Opcode ID: b87e5a32a8438de300b102055a5ee7c79531ab0cf35c82bc0e2816c7aae9f5a4
                                                                              • Instruction ID: c65cc39e4a121051c582005346a2e6aef9b429f453423775045a0cdb91886796
                                                                              • Opcode Fuzzy Hash: b87e5a32a8438de300b102055a5ee7c79531ab0cf35c82bc0e2816c7aae9f5a4
                                                                              • Instruction Fuzzy Hash: A502B230B102168FDF64DF65D9906AEB7B6FF84300F248669E9159B394DB35EC46CB80
                                                                              Function 066F66E0 Relevance: .8, Instructions: 816COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f0f4c81cccb3604b1a742b5c118fd5621282abfb07ab42aac317224c722e2b3f
                                                                              • Instruction ID: 377910ff8935ad011cc9ac12c06f4e6852ab73838d9357f9d0040ee36985186f
                                                                              • Opcode Fuzzy Hash: f0f4c81cccb3604b1a742b5c118fd5621282abfb07ab42aac317224c722e2b3f
                                                                              • Instruction Fuzzy Hash: D2629D30B202158FDB64DB68D594AADBBF2EF88310F248569E906EB354DB75EC41CB90
                                                                              Function 066FC268 Relevance: .6, Instructions: 645COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2dc8909b14c158f355f862f8c77613e883dd9be03bea322a532523644228bee5
                                                                              • Instruction ID: df5ab609669b0ebbc5c9f25e091749fa71d55dd021896c499b5f8e1e16c7387e
                                                                              • Opcode Fuzzy Hash: 2dc8909b14c158f355f862f8c77613e883dd9be03bea322a532523644228bee5
                                                                              • Instruction Fuzzy Hash: 93327075B2020A9FDF64DB68D990BAEBBB2FB88310F208525E505DB355DB35EC41CB90
                                                                              Function 066F56B0 Relevance: .6, Instructions: 596COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9a6a2a5e28ef275e97d768183681063ddb5841a118f39eda0bd5b0a4f60d5f46
                                                                              • Instruction ID: 84984057f67fe88df0a8dff5605a49840d1e945ab1bf43cfa162a94a12b362bc
                                                                              • Opcode Fuzzy Hash: 9a6a2a5e28ef275e97d768183681063ddb5841a118f39eda0bd5b0a4f60d5f46
                                                                              • Instruction Fuzzy Hash: F122D371F202159FDF64DB64D8846AEBBB2FF94310F248466EA569B384DB34EC41CB90
                                                                              Function 066FB307 Relevance: .6, Instructions: 567COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1045b3660a4279d7e0bc1c8cdcefc397ad49152256f8cb57862fffb0411bd439
                                                                              • Instruction ID: 53c3f19736cb64256ed93425a8711207ad3eb68b2d6603e6f6e43155357841df
                                                                              • Opcode Fuzzy Hash: 1045b3660a4279d7e0bc1c8cdcefc397ad49152256f8cb57862fffb0411bd439
                                                                              • Instruction Fuzzy Hash: 28228E74E2010A8FEF64DB68C5907AEB7B6FB89310F248526E605DB395CB35DC81CB91
                                                                              Function 066FADB0 Relevance: 10.4, Strings: 8, Instructions: 390COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 66fadb0-66fadce 1 66fadd0-66fadd3 0->1 2 66fadf6-66fadf9 1->2 3 66fadd5-66fadf1 1->3 4 66fadfb-66fadff 2->4 5 66fae0a-66fae0d 2->5 3->2 7 66fafdc-66fafe6 4->7 8 66fae05 4->8 9 66fae0f-66fae18 5->9 10 66fae1d-66fae20 5->10 8->5 9->10 11 66fafcd-66fafd6 10->11 12 66fae26-66fae29 10->12 11->7 16 66fae6c-66fae75 11->16 14 66fae3d-66fae40 12->14 15 66fae2b-66fae38 12->15 19 66fae5a-66fae5d 14->19 20 66fae42-66fae55 14->20 15->14 17 66fae7b-66fae7f 16->17 18 66fafe7-66fb01e 16->18 23 66fae84-66fae86 17->23 30 66fb020-66fb023 18->30 21 66fae5f-66fae64 19->21 22 66fae67-66fae6a 19->22 20->19 21->22 22->16 22->23 26 66fae8d-66fae90 23->26 27 66fae88 23->27 26->1 29 66fae96-66faeba 26->29 27->26 45 66fafca 29->45 46 66faec0-66faecf 29->46 31 66fb025 call 66fb307 30->31 32 66fb032-66fb035 30->32 38 66fb02b-66fb02d 31->38 34 66fb29e-66fb2a1 32->34 35 66fb03b-66fb076 32->35 36 66fb2ae-66fb2b1 34->36 37 66fb2a3-66fb2ad 34->37 43 66fb07c-66fb088 35->43 44 66fb269-66fb27c 35->44 40 66fb2d4-66fb2d7 36->40 41 66fb2b3-66fb2cf 36->41 38->32 47 66fb2d9-66fb2dd 40->47 48 66fb2e8-66fb2ea 40->48 41->40 59 66fb08a-66fb0a3 43->59 60 66fb0a8-66fb0ec 43->60 52 66fb27e 44->52 45->11 57 66faee7-66faf22 call 66f6690 46->57 58 66faed1-66faed7 46->58 47->35 49 66fb2e3 47->49 50 66fb2ec 48->50 51 66fb2f1-66fb2f4 48->51 49->48 50->51 51->30 56 66fb2fa-66fb304 51->56 52->34 77 66faf3a-66faf51 57->77 78 66faf24-66faf2a 57->78 62 66faedb-66faedd 58->62 63 66faed9 58->63 59->52 75 66fb0ee-66fb100 60->75 76 66fb108-66fb147 60->76 62->57 63->57 75->76 84 66fb22e-66fb243 76->84 85 66fb14d-66fb228 call 66f6690 76->85 89 66faf69-66faf7a 77->89 90 66faf53-66faf59 77->90 79 66faf2e-66faf30 78->79 80 66faf2c 78->80 79->77 80->77 84->44 85->84 97 66faf7c-66faf82 89->97 98 66faf92-66fafc3 89->98 92 66faf5d-66faf5f 90->92 93 66faf5b 90->93 92->89 93->89 99 66faf86-66faf88 97->99 100 66faf84 97->100 98->45 99->98 100->98
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $pq$$pq$$pq$$pq$$pq$$pq$$pq$$pq
                                                                              • API String ID: 0-2821355145
                                                                              • Opcode ID: b877a3f4cbbbd5c0fd83893d7940d286c01329ecf6a6175682d654ff1477aba7
                                                                              • Instruction ID: a26be53b05e1d0b4b5af369eff11e335953747bd0fdc9509d4b8f3ac1cb03277
                                                                              • Opcode Fuzzy Hash: b877a3f4cbbbd5c0fd83893d7940d286c01329ecf6a6175682d654ff1477aba7
                                                                              • Instruction Fuzzy Hash: D5E17F70F2021A8FDF65DBA5D4906AEB7B2FF85300F208929E509DB354DB759C46CB90
                                                                              Function 066FB730 Relevance: 8.0, Strings: 6, Instructions: 470COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 254 66fb730-66fb752 255 66fb754-66fb757 254->255 256 66fb75e-66fb761 255->256 257 66fb759-66fb75b 255->257 258 66fb7c5-66fb7c8 256->258 259 66fb763-66fb7c0 call 66f6690 256->259 257->256 260 66fb7ef-66fb7f2 258->260 261 66fb7ca-66fb7ce 258->261 259->258 265 66fb7f4-66fb7fd 260->265 266 66fb802-66fb805 260->266 262 66fbacb-66fbb06 261->262 263 66fb7d4-66fb7e4 261->263 284 66fbb08-66fbb0b 262->284 282 66fb7ea 263->282 283 66fb8d3-66fb8d6 263->283 265->266 268 66fb80b-66fb80e 266->268 269 66fb8a2-66fb8ab 266->269 275 66fb825-66fb828 268->275 276 66fb810-66fb814 268->276 270 66fba8a-66fba93 269->270 271 66fb8b1 269->271 270->262 280 66fba95-66fba9c 270->280 281 66fb8b6-66fb8b9 271->281 278 66fb83b-66fb83e 275->278 279 66fb82a-66fb836 275->279 276->262 277 66fb81a-66fb820 276->277 277->275 287 66fb852-66fb855 278->287 288 66fb840-66fb847 278->288 279->278 289 66fbaa1-66fbaa4 280->289 281->283 290 66fb8bb-66fb8be 281->290 282->260 291 66fb8db-66fb8de 283->291 285 66fbb2e-66fbb31 284->285 286 66fbb0d-66fbb29 284->286 294 66fbd9d-66fbd9f 285->294 295 66fbb37-66fbb5f 285->295 286->285 300 66fb867-66fb86a 287->300 301 66fb857 287->301 296 66fb84d 288->296 297 66fb8fa-66fb903 288->297 298 66fbaae-66fbab0 289->298 299 66fbaa6-66fbaa9 289->299 302 66fb8ce-66fb8d1 290->302 303 66fb8c0-66fb8c9 290->303 304 66fb8f5-66fb8f8 291->304 305 66fb8e0-66fb8e4 291->305 306 66fbda6-66fbda9 294->306 307 66fbda1 294->307 346 66fbb69-66fbbad 295->346 347 66fbb61-66fbb64 295->347 296->287 311 66fb908-66fb90b 297->311 308 66fbab7-66fbaba 298->308 309 66fbab2 298->309 299->298 313 66fb86c-66fb872 300->313 314 66fb877-66fb87a 300->314 321 66fb85f-66fb862 301->321 302->283 302->291 303->302 304->297 304->311 305->262 310 66fb8ea-66fb8f0 305->310 306->284 318 66fbdaf-66fbdb8 306->318 307->306 308->255 320 66fbac0-66fbaca 308->320 309->308 310->304 316 66fb90d-66fb911 311->316 317 66fb932-66fb935 311->317 313->314 322 66fb89d-66fb8a0 314->322 323 66fb87c-66fb880 314->323 316->262 326 66fb917-66fb927 316->326 328 66fb94c-66fb94f 317->328 329 66fb937-66fb93a 317->329 321->300 322->269 322->281 323->262 324 66fb886-66fb896 323->324 324->316 340 66fb898 324->340 326->261 341 66fb92d 326->341 328->283 332 66fb951-66fb954 328->332 329->262 330 66fb940-66fb947 329->330 330->328 336 66fb977-66fb97a 332->336 337 66fb956-66fb972 332->337 338 66fb97c-66fb985 336->338 339 66fb98a-66fb98d 336->339 337->336 338->339 343 66fb98f-66fb990 339->343 344 66fb995-66fb998 339->344 340->322 341->317 343->344 349 66fb9af-66fb9b2 344->349 350 66fb99a-66fb99e 344->350 367 66fbbb3-66fbbbc 346->367 368 66fbd92-66fbd9c 346->368 347->318 354 66fb9bc-66fb9bf 349->354 355 66fb9b4-66fb9b9 349->355 350->262 353 66fb9a4-66fb9aa 350->353 353->349 356 66fb9cf-66fb9d2 354->356 357 66fb9c1-66fb9c4 354->357 355->354 360 66fb9f4-66fb9f7 356->360 361 66fb9d4-66fb9ef 356->361 357->329 359 66fb9ca 357->359 359->356 360->283 362 66fb9fd-66fba00 360->362 361->360 365 66fba3f-66fba42 362->365 366 66fba02-66fba17 362->366 369 66fba7c-66fba7f 365->369 370 66fba44-66fba59 365->370 366->262 376 66fba1d-66fba3a 366->376 372 66fbd88-66fbd8d 367->372 373 66fbbc2-66fbc2e call 66f6690 367->373 369->357 371 66fba85-66fba88 369->371 370->262 380 66fba5b-66fba77 370->380 371->270 371->289 372->368 388 66fbd28-66fbd3d 373->388 389 66fbc34-66fbc39 373->389 376->365 380->369 388->372 390 66fbc3b-66fbc41 389->390 391 66fbc55 389->391 393 66fbc47-66fbc49 390->393 394 66fbc43-66fbc45 390->394 395 66fbc57-66fbc5d 391->395 396 66fbc53 393->396 394->396 397 66fbc5f-66fbc65 395->397 398 66fbc72-66fbc7f 395->398 396->395 399 66fbc6b 397->399 400 66fbd13-66fbd22 397->400 405 66fbc97-66fbca4 398->405 406 66fbc81-66fbc87 398->406 399->398 401 66fbcda-66fbce7 399->401 402 66fbca6-66fbcb3 399->402 400->388 400->389 411 66fbcff-66fbd0c 401->411 412 66fbce9-66fbcef 401->412 414 66fbccb-66fbcd8 402->414 415 66fbcb5-66fbcbb 402->415 405->400 409 66fbc8b-66fbc8d 406->409 410 66fbc89 406->410 409->405 410->405 411->400 418 66fbcf3-66fbcf5 412->418 419 66fbcf1 412->419 414->400 416 66fbcbf-66fbcc1 415->416 417 66fbcbd 415->417 416->414 417->414 418->411 419->411
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $pq$$pq$$pq$$pq$$pq$$pq
                                                                              • API String ID: 0-3947858918
                                                                              • Opcode ID: 2c1851f30736a05688a8cfd88025651d0089be1d5d9e7cec614ecb2a585448a8
                                                                              • Instruction ID: 19984a9f5203cacb876733d6df081a15ee975c48889024764d6bea6a44e54941
                                                                              • Opcode Fuzzy Hash: 2c1851f30736a05688a8cfd88025651d0089be1d5d9e7cec614ecb2a585448a8
                                                                              • Instruction Fuzzy Hash: E8028A70E2021A9FDFA4DF68C4806ADB7B2EF85300F24892AE515EB355DB35DC81CB91
                                                                              Function 066EA0D1 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 422 66ea0d1-66ea16f GetCurrentProcess 427 66ea178-66ea1ac GetCurrentThread 422->427 428 66ea171-66ea177 422->428 429 66ea1ae-66ea1b4 427->429 430 66ea1b5-66ea1e9 GetCurrentProcess 427->430 428->427 429->430 431 66ea1eb-66ea1f1 430->431 432 66ea1f2-66ea20d call 66ea2b0 430->432 431->432 436 66ea213-66ea242 GetCurrentThreadId 432->436 437 66ea24b-66ea2ad 436->437 438 66ea244-66ea24a 436->438 438->437
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32 ref: 066EA15E
                                                                              • GetCurrentThread.KERNEL32 ref: 066EA19B
                                                                              • GetCurrentProcess.KERNEL32 ref: 066EA1D8
                                                                              • GetCurrentThreadId.KERNEL32 ref: 066EA231
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: Current$ProcessThread
                                                                              • String ID:
                                                                              • API String ID: 2063062207-0
                                                                              • Opcode ID: bec70922ad51ff945e75a6774a0fe57d114e6de659899f9fdd9154850de119ba
                                                                              • Instruction ID: 430ebb72517be3484e5340f6efe244d0fbdd5ee57c7bbc0c0fcde5dbdf34b71a
                                                                              • Opcode Fuzzy Hash: bec70922ad51ff945e75a6774a0fe57d114e6de659899f9fdd9154850de119ba
                                                                              • Instruction Fuzzy Hash: BB5155B0D0124A8FDB94DFAAD948BDEBBF1FF88304F248459E409A7350D7359984CB66
                                                                              Function 066EA0E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 445 66ea0e0-66ea16f GetCurrentProcess 449 66ea178-66ea1ac GetCurrentThread 445->449 450 66ea171-66ea177 445->450 451 66ea1ae-66ea1b4 449->451 452 66ea1b5-66ea1e9 GetCurrentProcess 449->452 450->449 451->452 453 66ea1eb-66ea1f1 452->453 454 66ea1f2-66ea20d call 66ea2b0 452->454 453->454 458 66ea213-66ea242 GetCurrentThreadId 454->458 459 66ea24b-66ea2ad 458->459 460 66ea244-66ea24a 458->460 460->459
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32 ref: 066EA15E
                                                                              • GetCurrentThread.KERNEL32 ref: 066EA19B
                                                                              • GetCurrentProcess.KERNEL32 ref: 066EA1D8
                                                                              • GetCurrentThreadId.KERNEL32 ref: 066EA231
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: Current$ProcessThread
                                                                              • String ID:
                                                                              • API String ID: 2063062207-0
                                                                              • Opcode ID: d4544c92e3df2f0da65dc891f9cca5e0550d0ca21dc2faa4c0c8d9ee2ade8756
                                                                              • Instruction ID: 1a1ebe5bf04b96c0971aff5ec658d59d4b275d5da75bc095d4fd7af63ea86e15
                                                                              • Opcode Fuzzy Hash: d4544c92e3df2f0da65dc891f9cca5e0550d0ca21dc2faa4c0c8d9ee2ade8756
                                                                              • Instruction Fuzzy Hash: 755164B0D0130A8FDB94DFAAD948BDEBBF2AF88304F248459E409A7350D7355984CB66
                                                                              Function 066F9238 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 467 66f9238-66f925d 468 66f925f-66f9262 467->468 469 66f9268-66f927d 468->469 470 66f9b20-66f9b23 468->470 478 66f927f-66f9285 469->478 479 66f9295-66f92ab 469->479 471 66f9b49-66f9b4b 470->471 472 66f9b25-66f9b44 470->472 473 66f9b4d 471->473 474 66f9b52-66f9b55 471->474 472->471 473->474 474->468 477 66f9b5b-66f9b65 474->477 480 66f9289-66f928b 478->480 481 66f9287 478->481 484 66f92b6-66f92b8 479->484 480->479 481->479 485 66f92ba-66f92c0 484->485 486 66f92d0-66f9341 484->486 487 66f92c4-66f92c6 485->487 488 66f92c2 485->488 497 66f936d-66f9389 486->497 498 66f9343-66f9366 486->498 487->486 488->486 503 66f938b-66f93ae 497->503 504 66f93b5-66f93d0 497->504 498->497 503->504 509 66f93fb-66f9416 504->509 510 66f93d2-66f93f4 504->510 515 66f943b-66f9449 509->515 516 66f9418-66f9434 509->516 510->509 517 66f944b-66f9454 515->517 518 66f9459-66f94d3 515->518 516->515 517->477 524 66f94d5-66f94f3 518->524 525 66f9520-66f9535 518->525 529 66f950f-66f951e 524->529 530 66f94f5-66f9504 524->530 525->470 529->524 529->525 530->529
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $pq$$pq$$pq$$pq
                                                                              • API String ID: 0-3887422724
                                                                              • Opcode ID: eb9ae8ec1c2144054da931bd334dd4376ec7512f3681cedee6b1e7101cae644e
                                                                              • Instruction ID: fdc71cc020578fc6bd3e019828889696e5577aa1019f71a80f9f926e169d3055
                                                                              • Opcode Fuzzy Hash: eb9ae8ec1c2144054da931bd334dd4376ec7512f3681cedee6b1e7101cae644e
                                                                              • Instruction Fuzzy Hash: 4B915270B2021A8FDF64DB65D990BAEB7F6BF88300F108665D909DB348EE35DD458B90
                                                                              Function 066FD038 Relevance: 4.5, Strings: 3, Instructions: 796COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 533 66fd038-66fd053 534 66fd055-66fd058 533->534 535 66fd05a-66fd09c 534->535 536 66fd0a1-66fd0a4 534->536 535->536 537 66fd0ed-66fd0f0 536->537 538 66fd0a6-66fd0e8 536->538 540 66fd0ff-66fd102 537->540 541 66fd0f2-66fd0f4 537->541 538->537 545 66fd14b-66fd14e 540->545 546 66fd104-66fd113 540->546 543 66fd0fa 541->543 544 66fd521 541->544 543->540 547 66fd524-66fd530 544->547 548 66fd197-66fd19a 545->548 549 66fd150-66fd192 545->549 551 66fd115-66fd11a 546->551 552 66fd122-66fd12e 546->552 547->546 558 66fd536-66fd823 547->558 553 66fd19c-66fd1a1 548->553 554 66fd1a4-66fd1a7 548->554 549->548 551->552 555 66fda55-66fda8e 552->555 556 66fd134-66fd146 552->556 553->554 559 66fd1a9-66fd1ab 554->559 560 66fd1b6-66fd1b9 554->560 570 66fda90-66fda93 555->570 556->545 746 66fda4a-66fda54 558->746 747 66fd829-66fd82f 558->747 564 66fd3df-66fd3e8 559->564 565 66fd1b1 559->565 560->547 568 66fd1bf-66fd1c2 560->568 574 66fd3ea-66fd3ef 564->574 575 66fd3f7-66fd403 564->575 565->560 571 66fd1e5-66fd1e8 568->571 572 66fd1c4-66fd1e0 568->572 577 66fdac6-66fdac9 570->577 578 66fda95-66fdac1 570->578 581 66fd1ea-66fd22c 571->581 582 66fd231-66fd234 571->582 572->571 574->575 583 66fd409-66fd41d 575->583 584 66fd514-66fd519 575->584 585 66fdacb call 66fdbad 577->585 586 66fdad8-66fdadb 577->586 578->577 581->582 588 66fd27d-66fd280 582->588 589 66fd236-66fd278 582->589 583->544 601 66fd423-66fd435 583->601 584->544 607 66fdad1-66fdad3 585->607 597 66fdafe-66fdb00 586->597 598 66fdadd-66fdaf9 586->598 593 66fd2c9-66fd2cc 588->593 594 66fd282-66fd2c4 588->594 589->588 605 66fd2ce-66fd2e4 593->605 606 66fd2e9-66fd2ec 593->606 594->593 602 66fdb07-66fdb0a 597->602 603 66fdb02 597->603 598->597 624 66fd459-66fd45b 601->624 625 66fd437-66fd43d 601->625 602->570 610 66fdb0c-66fdb1b 602->610 603->602 605->606 614 66fd2ee-66fd330 606->614 615 66fd335-66fd338 606->615 607->586 636 66fdb1d-66fdb80 call 66f6690 610->636 637 66fdb82-66fdb97 610->637 614->615 618 66fd33a-66fd37c 615->618 619 66fd381-66fd384 615->619 618->619 629 66fd3cd-66fd3cf 619->629 630 66fd386-66fd395 619->630 643 66fd465-66fd471 624->643 633 66fd43f 625->633 634 66fd441-66fd44d 625->634 641 66fd3d6-66fd3d9 629->641 642 66fd3d1 629->642 638 66fd397-66fd39c 630->638 639 66fd3a4-66fd3b0 630->639 645 66fd44f-66fd457 633->645 634->645 636->637 665 66fdb98 637->665 638->639 639->555 648 66fd3b6-66fd3c8 639->648 641->534 641->564 642->641 659 66fd47f 643->659 660 66fd473-66fd47d 643->660 645->643 648->629 670 66fd484-66fd486 659->670 660->670 665->665 670->544 671 66fd48c-66fd4a8 call 66f6690 670->671 686 66fd4aa-66fd4af 671->686 687 66fd4b7-66fd4c3 671->687 686->687 687->584 688 66fd4c5-66fd512 687->688 688->544 748 66fd83e-66fd847 747->748 749 66fd831-66fd836 747->749 748->555 750 66fd84d-66fd860 748->750 749->748 752 66fda3a-66fda44 750->752 753 66fd866-66fd86c 750->753 752->746 752->747 754 66fd86e-66fd873 753->754 755 66fd87b-66fd884 753->755 754->755 755->555 756 66fd88a-66fd8ab 755->756 759 66fd8ad-66fd8b2 756->759 760 66fd8ba-66fd8c3 756->760 759->760 760->555 761 66fd8c9-66fd8e6 760->761 761->752 764 66fd8ec-66fd8f2 761->764 764->555 765 66fd8f8-66fd911 764->765 767 66fda2d-66fda34 765->767 768 66fd917-66fd93e 765->768 767->752 767->764 768->555 771 66fd944-66fd94e 768->771 771->555 772 66fd954-66fd96b 771->772 774 66fd96d-66fd978 772->774 775 66fd97a-66fd995 772->775 774->775 775->767 780 66fd99b-66fd9b4 call 66f6690 775->780 784 66fd9b6-66fd9bb 780->784 785 66fd9c3-66fd9cc 780->785 784->785 785->555 786 66fd9d2-66fda26 785->786 786->767
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $pq$$pq$$pq
                                                                              • API String ID: 0-1191542994
                                                                              • Opcode ID: 556e09cec86c9fea523f32805485108d1e87444119185312d711f48a67773831
                                                                              • Instruction ID: 71c6114cec3009240eddaf620847aea67402fb7a0dc054e86073127e62d3f528
                                                                              • Opcode Fuzzy Hash: 556e09cec86c9fea523f32805485108d1e87444119185312d711f48a67773831
                                                                              • Instruction Fuzzy Hash: F8621D71A2020B8FCB55EF68D590A5DB7B2FF84304B208A69E4059F359DB75FD86CB80
                                                                              Function 066F4C78 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 794 66f4c78-66f4c9c 795 66f4c9e-66f4ca1 794->795 796 66f4ca3-66f4cbd 795->796 797 66f4cc2-66f4cc5 795->797 796->797 798 66f4ccb-66f4dc3 797->798 799 66f53a4-66f53a6 797->799 817 66f4dc9-66f4e16 call 66f5522 798->817 818 66f4e46-66f4e4d 798->818 801 66f53ad-66f53b0 799->801 802 66f53a8 799->802 801->795 804 66f53b6-66f53c3 801->804 802->801 831 66f4e1c-66f4e38 817->831 819 66f4e53-66f4ec3 818->819 820 66f4ed1-66f4eda 818->820 837 66f4ece 819->837 838 66f4ec5 819->838 820->804 834 66f4e3a 831->834 835 66f4e43-66f4e44 831->835 834->835 835->818 837->820 838->837
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: fuq$XPuq$\Ouq
                                                                              • API String ID: 0-783209115
                                                                              • Opcode ID: e8cf5f3536216c68dcff2b5f2cfa1d5765b0cac905334f3297cb04d3d65708b5
                                                                              • Instruction ID: 3ff467aa68aee53ee3c3c3835def6ef6bc76b828d6cb09ee087d8300826e3ee2
                                                                              • Opcode Fuzzy Hash: e8cf5f3536216c68dcff2b5f2cfa1d5765b0cac905334f3297cb04d3d65708b5
                                                                              • Instruction Fuzzy Hash: 6D614E70F102199FEF54DBA5C8547AEBAF6FF88310F208529E206AB395DF754C458B90
                                                                              Function 066F9228 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1782 66f9228-66f925d 1783 66f925f-66f9262 1782->1783 1784 66f9268-66f927d 1783->1784 1785 66f9b20-66f9b23 1783->1785 1793 66f927f-66f9285 1784->1793 1794 66f9295-66f92ab 1784->1794 1786 66f9b49-66f9b4b 1785->1786 1787 66f9b25-66f9b44 1785->1787 1788 66f9b4d 1786->1788 1789 66f9b52-66f9b55 1786->1789 1787->1786 1788->1789 1789->1783 1792 66f9b5b-66f9b65 1789->1792 1795 66f9289-66f928b 1793->1795 1796 66f9287 1793->1796 1799 66f92b6-66f92b8 1794->1799 1795->1794 1796->1794 1800 66f92ba-66f92c0 1799->1800 1801 66f92d0-66f9341 1799->1801 1802 66f92c4-66f92c6 1800->1802 1803 66f92c2 1800->1803 1812 66f936d-66f9389 1801->1812 1813 66f9343-66f9366 1801->1813 1802->1801 1803->1801 1818 66f938b-66f93ae 1812->1818 1819 66f93b5-66f93d0 1812->1819 1813->1812 1818->1819 1824 66f93fb-66f9416 1819->1824 1825 66f93d2-66f93f4 1819->1825 1830 66f943b-66f9449 1824->1830 1831 66f9418-66f9434 1824->1831 1825->1824 1832 66f944b-66f9454 1830->1832 1833 66f9459-66f94d3 1830->1833 1831->1830 1832->1792 1839 66f94d5-66f94f3 1833->1839 1840 66f9520-66f9535 1833->1840 1844 66f950f-66f951e 1839->1844 1845 66f94f5-66f9504 1839->1845 1840->1785 1844->1839 1844->1840 1845->1844
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $pq$$pq
                                                                              • API String ID: 0-1409352612
                                                                              • Opcode ID: 3ddb178af92c7bb29d5e59dfc989bbcca0d59b2b505f8c851f909999fa27e7c8
                                                                              • Instruction ID: add422119128c0d7591717d331582ddeb5d5fa588dfd5f8180a284526314855c
                                                                              • Opcode Fuzzy Hash: 3ddb178af92c7bb29d5e59dfc989bbcca0d59b2b505f8c851f909999fa27e7c8
                                                                              • Instruction Fuzzy Hash: 9C516170B201168FDF68DB75D990BAE73F6BF88300F108569D90ADB349EA35DC068B90
                                                                              Function 066F4C69 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: fuq$XPuq
                                                                              • API String ID: 0-794579705
                                                                              • Opcode ID: eb82273372a8432e9a6055db2f84d5d65917cbd61ab6070c4f303028a82935ce
                                                                              • Instruction ID: efdc3492cdc16f2131ce0e948d7f94ba8be7bf6f8304620764d34181c5eac797
                                                                              • Opcode Fuzzy Hash: eb82273372a8432e9a6055db2f84d5d65917cbd61ab6070c4f303028a82935ce
                                                                              • Instruction Fuzzy Hash: 6C519E70F102199FEB55DFA5C854BAEBBF6FF88300F208529E205AB395DE758C058B90
                                                                              Function 010BEFB8 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4533580320.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_10b0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 745f4c3553df515d701b76667bfed01ed5b43fb11192de86735b41db6b0ca12d
                                                                              • Instruction ID: 5d282e5ed8663b2570b46c17aebbb10737345ae3cc3eb1cb235700014c5e09b6
                                                                              • Opcode Fuzzy Hash: 745f4c3553df515d701b76667bfed01ed5b43fb11192de86735b41db6b0ca12d
                                                                              • Instruction Fuzzy Hash: E9412572D0439A8FC704CFA9D8442EEBFF0AF89310F1585AAD444A7291DB349881CB91
                                                                              Function 066E672C Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066E684A
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: e35eac71a7d19d0e3921aa8103fa4a8ea261b59ef3781fb63857bea8fe21da97
                                                                              • Instruction ID: 05802bd67990e0926630065dd75ed4209505d022fd2cc6f943978bfc522d9c06
                                                                              • Opcode Fuzzy Hash: e35eac71a7d19d0e3921aa8103fa4a8ea261b59ef3781fb63857bea8fe21da97
                                                                              • Instruction Fuzzy Hash: 9851E2B1D11309AFDF14CF99C884ADEBFB5BF48310F24812AE819AB214D771A885CF90
                                                                              Function 066E6738 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066E684A
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: d874fc0364c568801afa5a11ef969952da9d6b3e768cffb6cf4084f068f08b5e
                                                                              • Instruction ID: 39baa95221c7e4f0a2138c2fadbf800eafa6278d9b0eb7dcfc67cb8e7b9543bb
                                                                              • Opcode Fuzzy Hash: d874fc0364c568801afa5a11ef969952da9d6b3e768cffb6cf4084f068f08b5e
                                                                              • Instruction Fuzzy Hash: E441B0B1D10309AFDB14CF9AC984ADEBFB5BF48310F64852AE819AB214D771A845CF90
                                                                              Function 066EA0AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 066EB679
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: CallProcWindow
                                                                              • String ID:
                                                                              • API String ID: 2714655100-0
                                                                              • Opcode ID: 557855e33e0d56f3920feb598b6500a31cc03c2c2677b0f199ae0c642bc8ecdc
                                                                              • Instruction ID: 25abf02cd39472e7cab0aa709f87597543c297dcb17da8c8a9682783fc77b638
                                                                              • Opcode Fuzzy Hash: 557855e33e0d56f3920feb598b6500a31cc03c2c2677b0f199ae0c642bc8ecdc
                                                                              • Instruction Fuzzy Hash: 0A413AB4D00305CFDB54CF9AC988AAABBF5FF88314F248459D519AB321D374A841CFA0
                                                                              Function 066EBF02 Relevance: 1.6, APIs: 1, Instructions: 73comclipboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: Clipboard
                                                                              • String ID:
                                                                              • API String ID: 220874293-0
                                                                              • Opcode ID: deaad773e5de3516b153e88997633c7e569620e50492faa84b971d3020b08948
                                                                              • Instruction ID: c08219f1883bc97acf71c92f4542ec4a2936039f17f893ce81cb9cfb135f7c9c
                                                                              • Opcode Fuzzy Hash: deaad773e5de3516b153e88997633c7e569620e50492faa84b971d3020b08948
                                                                              • Instruction Fuzzy Hash: B63111B0D02208DFDB54CF99C984BCEBBF5AF48304F208429E404AB394DB75A885CFA5
                                                                              Function 066EBF08 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: Clipboard
                                                                              • String ID:
                                                                              • API String ID: 220874293-0
                                                                              • Opcode ID: 6b5917d0e50219c7e25e8f5488bd3179bf0e0f02aa6b30ec93172ab8fac4ad45
                                                                              • Instruction ID: 334e9297c56759813c3980455ef9585343114d844a090336ac752cb6aeeed8eb
                                                                              • Opcode Fuzzy Hash: 6b5917d0e50219c7e25e8f5488bd3179bf0e0f02aa6b30ec93172ab8fac4ad45
                                                                              • Instruction Fuzzy Hash: 763111B0D01208DFDB54CF99C984BCEBBF5AF48304F208429E404AB394DB75A845CFA5
                                                                              Function 066EBD60 Relevance: 1.6, APIs: 1, Instructions: 67comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OleInitialize.OLE32(00000000), ref: 066EBE15
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: Initialize
                                                                              • String ID:
                                                                              • API String ID: 2538663250-0
                                                                              • Opcode ID: 47d76e9660cb9fa46c1b1deaee4ef27b4c22c5dd122ffb135256fe808b5959f0
                                                                              • Instruction ID: d52846642a0738a57447b37ed1b5508997b013997ab31fbf4cd7cd3689be4e36
                                                                              • Opcode Fuzzy Hash: 47d76e9660cb9fa46c1b1deaee4ef27b4c22c5dd122ffb135256fe808b5959f0
                                                                              • Instruction Fuzzy Hash: BB219AB1D017858FCB60CFA9D649BDABFF4EF48314F14485EE409A7200C3B9A488CBA1
                                                                              Function 066EA320 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066EA3AF
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: DuplicateHandle
                                                                              • String ID:
                                                                              • API String ID: 3793708945-0
                                                                              • Opcode ID: 59e5bae7ab3f4e993da4087df0c6b03f1c576f7c7c01657a0706bb0825bb3df9
                                                                              • Instruction ID: 05dad22e976cf3a2167eee69013b4a81a3094c79f9b38dfe80690a8728929381
                                                                              • Opcode Fuzzy Hash: 59e5bae7ab3f4e993da4087df0c6b03f1c576f7c7c01657a0706bb0825bb3df9
                                                                              • Instruction Fuzzy Hash: 0721E4B5D01249AFDB10CFAAD984ADEFFF8EB48310F14841AE918A7310D774A954CFA1
                                                                              Function 066EA328 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066EA3AF
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: DuplicateHandle
                                                                              • String ID:
                                                                              • API String ID: 3793708945-0
                                                                              • Opcode ID: 849bb8a2e8b60f21fd67f36cea94c05f7682d35cd9aae1edf7c212be2087e580
                                                                              • Instruction ID: b4d6ddc5296f89eff372ba2af72c468a92c314658a04c15c1f34295d6d4b61a1
                                                                              • Opcode Fuzzy Hash: 849bb8a2e8b60f21fd67f36cea94c05f7682d35cd9aae1edf7c212be2087e580
                                                                              • Instruction Fuzzy Hash: 1621C2B5D012499FDB10CFAAD984ADEBBF8EB48320F14841AE918A7310D374A954CFA5
                                                                              Function 066EDCC8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 066EDD4B
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: HookWindows
                                                                              • String ID:
                                                                              • API String ID: 2559412058-0
                                                                              • Opcode ID: fe57e0f6d74aaf78929fe4d25d447a063405a0dcc6839af3f37f832084a14cb1
                                                                              • Instruction ID: dfa832217425fc790d12c1aaf168bcae9f948de30454ac8616fc9fce76c7ab79
                                                                              • Opcode Fuzzy Hash: fe57e0f6d74aaf78929fe4d25d447a063405a0dcc6839af3f37f832084a14cb1
                                                                              • Instruction Fuzzy Hash: 872127B5D002499FCB54DF9AD944BEEFBF4EF88310F148429E419A7250C774A944CFA1
                                                                              Function 010B8038 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteFileW.KERNEL32(00000000), ref: 010B80B0
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4533580320.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_10b0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: DeleteFile
                                                                              • String ID:
                                                                              • API String ID: 4033686569-0
                                                                              • Opcode ID: 2c9adf5b53f391b7ad65d7e1d04d0949062b3a918e7a38a5c19909c13f32bafb
                                                                              • Instruction ID: 191e2c004e0e66a100caf7bb2054038994517294bab7ec7653db55e7c2754795
                                                                              • Opcode Fuzzy Hash: 2c9adf5b53f391b7ad65d7e1d04d0949062b3a918e7a38a5c19909c13f32bafb
                                                                              • Instruction Fuzzy Hash: 032124B1C1065A9BCB14CF9AC444ADEFBF4FB48320F15856AE858B7250D378A944CFA1
                                                                              Function 066EDCD0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 066EDD4B
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: HookWindows
                                                                              • String ID:
                                                                              • API String ID: 2559412058-0
                                                                              • Opcode ID: dd256e927557402c62b2a713c264b36f342db31fd4f0c142d7fa5e3442585ab1
                                                                              • Instruction ID: 09c15e65f8981cc85e705047c4fdfb2f50f602810628bb9b900880c28d5a7f84
                                                                              • Opcode Fuzzy Hash: dd256e927557402c62b2a713c264b36f342db31fd4f0c142d7fa5e3442585ab1
                                                                              • Instruction Fuzzy Hash: 9D2103B5D002499FCB54DF9AD944BEEFBF5EF88320F14842AE419A7250C774A944CFA1
                                                                              Function 010B8040 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteFileW.KERNEL32(00000000), ref: 010B80B0
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4533580320.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_10b0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: DeleteFile
                                                                              • String ID:
                                                                              • API String ID: 4033686569-0
                                                                              • Opcode ID: 90f80d78266a93c3d8a1dfc46e3e280e4e19008933f1821fcf44585979ae1cab
                                                                              • Instruction ID: 561ce9a12e028ff4ef5cc4de46c9eec08986800710675b65b78c47fe22cbbf84
                                                                              • Opcode Fuzzy Hash: 90f80d78266a93c3d8a1dfc46e3e280e4e19008933f1821fcf44585979ae1cab
                                                                              • Instruction Fuzzy Hash: 901136B1C1065A9BCB14CF9AC444ADEFBF4EB48320F15816AD858B7240D378A944CFA1
                                                                              Function 010BF0A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 010BF107
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4533580320.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_10b0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: GlobalMemoryStatus
                                                                              • String ID:
                                                                              • API String ID: 1890195054-0
                                                                              • Opcode ID: 964f0c4834b382f584806c4808dcef15cdc351cf1a1dcbb8a3793ec74d519695
                                                                              • Instruction ID: 107b7c3434dd93e843e0897e06448bf2f0b0af9bcc64895499a65346fb5080dc
                                                                              • Opcode Fuzzy Hash: 964f0c4834b382f584806c4808dcef15cdc351cf1a1dcbb8a3793ec74d519695
                                                                              • Instruction Fuzzy Hash: 2A1112B1C0065A9BCB10CFAAD844ADEFBF4AB48320F15856AD818B7240D378A944CFA1
                                                                              Function 066E5688 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 066E56F6
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: 7bd5ba581028e6d6842779bfa06752ac59cccabb070816431b2da0bc4333ccf4
                                                                              • Instruction ID: 17b40ca30f31e067ad8ef3948fdc14d6b5e7322b0156163a452052e73b14bdd4
                                                                              • Opcode Fuzzy Hash: 7bd5ba581028e6d6842779bfa06752ac59cccabb070816431b2da0bc4333ccf4
                                                                              • Instruction Fuzzy Hash: CB1113B5C017498FCB20DF9AD844ADEFBF9EB88324F14845AD819B7210D375A545CFA2
                                                                              Function 066E3A60 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 066E56F6
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: 5eabbc6ec020b3a0b3c47818189043a52acfb95f5cd6e6c917ca23b7467c7202
                                                                              • Instruction ID: ad4766249fc4159703d30e9705d3fe1092ff474aef7149e92bebe56a4a8c3b5c
                                                                              • Opcode Fuzzy Hash: 5eabbc6ec020b3a0b3c47818189043a52acfb95f5cd6e6c917ca23b7467c7202
                                                                              • Instruction Fuzzy Hash: 421102B5C017498FDB10DF9AC448ADEFBF4EB88224F14846AD81AB7210D375A545CFA5
                                                                              Function 066EB8F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,066EB8CD), ref: 066EB957
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 23684255dcf859d9f3aee72759b77f08273b38f7533c38e1a1ece54924a3b1b7
                                                                              • Instruction ID: 4b19ced3062e70fbeba527b6cf514761c4f0520d24eb174e18f8a3e3654e8721
                                                                              • Opcode Fuzzy Hash: 23684255dcf859d9f3aee72759b77f08273b38f7533c38e1a1ece54924a3b1b7
                                                                              • Instruction Fuzzy Hash: F91100B5C002498FCB20DF9AD945BDEFBF8EB89324F20845AD529B7210C774A944CFA5
                                                                              Function 066EB314 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OleInitialize.OLE32(00000000), ref: 066EBE15
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: Initialize
                                                                              • String ID:
                                                                              • API String ID: 2538663250-0
                                                                              • Opcode ID: d80b95cbe743f5d1bde1bfc22d039e950fd3b019437126d17058c1a5c989991b
                                                                              • Instruction ID: 39b28394df894239fa9c5a814aa54830138f1c45ecdd53e70f8e5b02f257fbed
                                                                              • Opcode Fuzzy Hash: d80b95cbe743f5d1bde1bfc22d039e950fd3b019437126d17058c1a5c989991b
                                                                              • Instruction Fuzzy Hash: 251130B5C007498FCB60DF9AC548B9EBBF8EB48320F20845AD519A7200C374A944CFA5
                                                                              Function 066EB0DC Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,066EB8CD), ref: 066EB957
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 3814210e85f8956727491d7f9a70e71d6c2fc20d5463739bc7a5527dfc689a31
                                                                              • Instruction ID: decf943487242f82efb446e463aa867c063bdbd94df4919da8a1d1cc9fb81389
                                                                              • Opcode Fuzzy Hash: 3814210e85f8956727491d7f9a70e71d6c2fc20d5463739bc7a5527dfc689a31
                                                                              • Instruction Fuzzy Hash: E111F2B1C002498FCB60DF9AD544B9EBBF4EB49324F20845AD919B7210C774A944CBA5
                                                                              Function 066EBDB9 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OleInitialize.OLE32(00000000), ref: 066EBE15
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540390730.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66e0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID: Initialize
                                                                              • String ID:
                                                                              • API String ID: 2538663250-0
                                                                              • Opcode ID: 0b7b4a2f663775ffb27f91516846131f5f94c6ff0d349f6a45aecd2c18bc525b
                                                                              • Instruction ID: 0c8efba7c91fa7aa5aa9a5abd7485cd3c3e6df67df5db32493542bc30f298860
                                                                              • Opcode Fuzzy Hash: 0b7b4a2f663775ffb27f91516846131f5f94c6ff0d349f6a45aecd2c18bc525b
                                                                              • Instruction Fuzzy Hash: F91145B5C003898FCB20DFAAD544BCEBFF8EB48324F248459D518A7200C374A545CFA5
                                                                              Function 066FDBAD Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: PHpq
                                                                              • API String ID: 0-2633839770
                                                                              • Opcode ID: df4ed2caf06d652ac76cb57dca49ed3f89cd3b47fabf0e978ba307d2ea910a13
                                                                              • Instruction ID: 86e29ed1344ded118033c86192ad8d2bfb389bda99470427943a8c4b2a9b2594
                                                                              • Opcode Fuzzy Hash: df4ed2caf06d652ac76cb57dca49ed3f89cd3b47fabf0e978ba307d2ea910a13
                                                                              • Instruction Fuzzy Hash: 40418070E2020A9FDB65DFA5C55479EBBB6BF85300F204A29E506EB344DB75E942CB80
                                                                              Function 066F21D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: PHpq
                                                                              • API String ID: 0-2633839770
                                                                              • Opcode ID: 7aca13c7e1bfea7afd0a99870f61c8d9ff149d6c631b17a05da0f4011f666009
                                                                              • Instruction ID: 9fa07a405439cf70211996560098f3363593acb1ce24e0262ad6d6431dd78701
                                                                              • Opcode Fuzzy Hash: 7aca13c7e1bfea7afd0a99870f61c8d9ff149d6c631b17a05da0f4011f666009
                                                                              • Instruction Fuzzy Hash: E431C471B202068FDB699BB4D46466F7BA7BF89210F205638E502DB388DE36DD41CBD0
                                                                              Function 066F4B61 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: \Ouq
                                                                              • API String ID: 0-2920507874
                                                                              • Opcode ID: 169db1fc6120af27d82509196762ce560f998de3bb2dff34c9341c5bba1da605
                                                                              • Instruction ID: 94549b77599535baf700dd5bbd70f7793c048ea057774bffc6598d1e3b10530f
                                                                              • Opcode Fuzzy Hash: 169db1fc6120af27d82509196762ce560f998de3bb2dff34c9341c5bba1da605
                                                                              • Instruction Fuzzy Hash: 0FF0DA70A24119DBDB14DF94E899BAEBBB2BF48604F204629E502A7695CB751C02CBC0
                                                                              Function 066F62E0 Relevance: .2, Instructions: 229COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7139b67dac6babe14f9f0b726aab8961b6c7c3d68b380241d7b618754fd3052c
                                                                              • Instruction ID: fd98084b03dde24c656f0af244ee2f60483c1791a60d87e0186d22332f72ebef
                                                                              • Opcode Fuzzy Hash: 7139b67dac6babe14f9f0b726aab8961b6c7c3d68b380241d7b618754fd3052c
                                                                              • Instruction Fuzzy Hash: 6C61C772F101124BDF54AB7DC84466FBADBEFC4620B254479E90ADB364EE65DC0287C1
                                                                              Function 066F43A8 Relevance: .2, Instructions: 225COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 36a18c9568143bed7335584c6bfaa01ac082ad404cffbf1f69fa0bb10ece9a9e
                                                                              • Instruction ID: 95f9fa814b68317a2f8cb765987d216670e6eccaf10367f81edf9bee20c1b4a0
                                                                              • Opcode Fuzzy Hash: 36a18c9568143bed7335584c6bfaa01ac082ad404cffbf1f69fa0bb10ece9a9e
                                                                              • Instruction Fuzzy Hash: 03817070B1020A8FDF58DBA9D4547AEB7F2AF89300F208525E51AEB759EF74DC428B40
                                                                              Function 066F46C8 Relevance: .2, Instructions: 217COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1127a087f4c9d0d90bfb3cef6593f7d676109a6f907654a8e9cd214065841e7f
                                                                              • Instruction ID: 325302fb05cfb580f0cba32a34f3f7e8d86644b4e4f7800c5e67ad420167812e
                                                                              • Opcode Fuzzy Hash: 1127a087f4c9d0d90bfb3cef6593f7d676109a6f907654a8e9cd214065841e7f
                                                                              • Instruction Fuzzy Hash: A0914D70E1021A8FDF60DF68C890B9DB7B1FF89310F208699D549AB395DB70AA85CB50
                                                                              Function 066F46E0 Relevance: .2, Instructions: 210COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d4393684395c4315c3e892e79796fd4da429b601ad34799412b67baef3bd2be1
                                                                              • Instruction ID: 1643532744623a2a43411c9c229d4f3d4815f03f766bbdb50ba51607cd097e1c
                                                                              • Opcode Fuzzy Hash: d4393684395c4315c3e892e79796fd4da429b601ad34799412b67baef3bd2be1
                                                                              • Instruction Fuzzy Hash: 9F914F70E1021A8BDF64DF68C890B9EB7B1FF89310F208595D549BB395DB70AA85CF50
                                                                              Function 066FF010 Relevance: .2, Instructions: 202COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 45f61cfb1411ebbcc1bc5674a135d2723a2cbff6605c1b0571cea03d2dfae860
                                                                              • Instruction ID: aaef31da18390a9ebdeba9d975901118ec5ec77314507b7bc849b9c3c426c991
                                                                              • Opcode Fuzzy Hash: 45f61cfb1411ebbcc1bc5674a135d2723a2cbff6605c1b0571cea03d2dfae860
                                                                              • Instruction Fuzzy Hash: F0713971A102099FDB54DFA8C990A9EBBF6FF88300F248529E555EB354DB71EC46CB80
                                                                              Function 066FF020 Relevance: .2, Instructions: 201COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2ca6823abba12db7ff9139c7c8a569aa6afae67e43cf756d5f64ce60ae5db237
                                                                              • Instruction ID: 72f26e2b72b8a976855a20282028b8f90ab0c7e20faf6ab2e979d30c71f158c3
                                                                              • Opcode Fuzzy Hash: 2ca6823abba12db7ff9139c7c8a569aa6afae67e43cf756d5f64ce60ae5db237
                                                                              • Instruction Fuzzy Hash: C0715B71B102099FDB54EBA8C990A9EBBF6FF88300F248529E515EB354DB70EC46CB50
                                                                              Function 066FFCA0 Relevance: .2, Instructions: 195COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2c6f33c878410a6572ab13e5b00bd6095343b61c525263efb8d55265556bcb8b
                                                                              • Instruction ID: d19ed86fb18ab5bbe32006deb6dbe6a7cdc9bd847f12548d2855304f66549a5f
                                                                              • Opcode Fuzzy Hash: 2c6f33c878410a6572ab13e5b00bd6095343b61c525263efb8d55265556bcb8b
                                                                              • Instruction Fuzzy Hash: FE610431F20106EFDF64AB78E4946ADBBB2EF84310F108879E606D7355DB358845CB80
                                                                              Function 066FFA50 Relevance: .2, Instructions: 167COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2e220795de8d2c9b3d7d23befae52ace35d3625d7a35f579be55a2e1ad38bbc6
                                                                              • Instruction ID: 39fe15ac0b7fad8f85c36619aa1b32fd9be49637a7ff4323fa7f3798c3de391a
                                                                              • Opcode Fuzzy Hash: 2e220795de8d2c9b3d7d23befae52ace35d3625d7a35f579be55a2e1ad38bbc6
                                                                              • Instruction Fuzzy Hash: C7512675B301178BEF646B6CD8A4B6F2A5AD78D300F21493AE60AC73D4CE39CC418792
                                                                              Function 066FFA60 Relevance: .2, Instructions: 163COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e8d40afb0bbd1725584d1fa025d59cd3335547889b87ee36a27c2474d2ce812a
                                                                              • Instruction ID: fc5a7b83de6fe9d4b52629549308d141809a88a05184803110f66773b8436012
                                                                              • Opcode Fuzzy Hash: e8d40afb0bbd1725584d1fa025d59cd3335547889b87ee36a27c2474d2ce812a
                                                                              • Instruction Fuzzy Hash: E6510775B301178BEF646B6CD8A476F265AD78D310F204939E60AC73D4CE79CC4187A2
                                                                              Function 066F5522 Relevance: .1, Instructions: 131COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1717c4f8b851167484996b3978c99b657b6918fccc2254c06fcdcbeba61d0c40
                                                                              • Instruction ID: 975ec88b552fc1309ef248cb794755f253b5693fb01db0e1d326d013fe63091c
                                                                              • Opcode Fuzzy Hash: 1717c4f8b851167484996b3978c99b657b6918fccc2254c06fcdcbeba61d0c40
                                                                              • Instruction Fuzzy Hash: 71418F71E106098FCF60CFA9D880AAFFBB2FB65314F10492AE266D7650D730EC458B91
                                                                              Function 066F56A0 Relevance: .1, Instructions: 107COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 78aa7a734758ac991e9bbb0172558d13e2753e93d742255532e9d6a6cb00c765
                                                                              • Instruction ID: 6f8946e70062d7c4c790dd5e3e43112320789b31ec741ce33bf144d64258e9ea
                                                                              • Opcode Fuzzy Hash: 78aa7a734758ac991e9bbb0172558d13e2753e93d742255532e9d6a6cb00c765
                                                                              • Instruction Fuzzy Hash: 4931E371E202159FDF609F69C4807AEFBB1FB55320F258526E66ADB391C230EC41CB91
                                                                              Function 066F2089 Relevance: .1, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 625b27c304769b7fe0fbca571776d8eab51d3e4a3ba83043ba0c66168f11e8ea
                                                                              • Instruction ID: 41ea6fe6b640cbf983729f2c5f8232bcc0e28912a422f6a3e49700452c8a2e23
                                                                              • Opcode Fuzzy Hash: 625b27c304769b7fe0fbca571776d8eab51d3e4a3ba83043ba0c66168f11e8ea
                                                                              • Instruction Fuzzy Hash: C5315370E2064A9BCB19DFA4D8646DEBBB6AF89300F108519EA05E7354DB71AD41CF50
                                                                              Function 066FDA61 Relevance: .1, Instructions: 96COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6d6e31582c78856b78ae4fe1e20ab627f1c555a73ac15d763aab1983303d5262
                                                                              • Instruction ID: 6e3a299b19974ca49ae128a1a2978840fd8a22ee9347c30bc8af1aa06ba1cb23
                                                                              • Opcode Fuzzy Hash: 6d6e31582c78856b78ae4fe1e20ab627f1c555a73ac15d763aab1983303d5262
                                                                              • Instruction Fuzzy Hash: 86316471E2071B8BDF25DF64C89069EBBB2EF85304F204929E905EB344DB70B946CB40
                                                                              Function 066F2098 Relevance: .1, Instructions: 91COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 762807be22c47316c04640875df8ecb127be8b35e2ccb682a785d4385dd4a262
                                                                              • Instruction ID: 4262182b138cbb93d6fb1e2425dd3dfd147a14182e0647f8c0b9c7969ed93c2f
                                                                              • Opcode Fuzzy Hash: 762807be22c47316c04640875df8ecb127be8b35e2ccb682a785d4385dd4a262
                                                                              • Instruction Fuzzy Hash: F2316670E2060A9BCB19DFA4D4A46DEB7B6BF89300F108519EA05E7354DB71AD41CF50
                                                                              Function 066F6560 Relevance: .1, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 47eca58db9e34ecb340510b60e229838f62f4b94724fbe6e64cd74a82848cc98
                                                                              • Instruction ID: 5c5bc06c3c1dff7c8def1503ff8627c7e069f4e927db39e8add2ff7149ca3251
                                                                              • Opcode Fuzzy Hash: 47eca58db9e34ecb340510b60e229838f62f4b94724fbe6e64cd74a82848cc98
                                                                              • Instruction Fuzzy Hash: 0E3178B1D112099FCB40CFA9C9817EDFBB4BF09314F10816AE518E7601D374A950CBA1
                                                                              Function 066F3FB0 Relevance: .1, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7aa9bfa3d210739c8356382a770bc82a5a3f055d26e6531ede4778ad0985a311
                                                                              • Instruction ID: 2b8b8348327814d6a12d1016fcadddef95d0278867c4626692bf3743df1f90b6
                                                                              • Opcode Fuzzy Hash: 7aa9bfa3d210739c8356382a770bc82a5a3f055d26e6531ede4778ad0985a311
                                                                              • Instruction Fuzzy Hash: DC21EC71F102229FDB10CFB9D980AEEBBF5AF48300F048225E904E7355EB71D9028B90
                                                                              Function 066F3FC0 Relevance: .1, Instructions: 78COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cf27a988cfe757586634137bf1f1101a0c6cd86f4a6861568f870794f79ea659
                                                                              • Instruction ID: a3ddca6645664ffc3da80331a989e96ff9890d49a7240fe456992d9352c4b3de
                                                                              • Opcode Fuzzy Hash: cf27a988cfe757586634137bf1f1101a0c6cd86f4a6861568f870794f79ea659
                                                                              • Instruction Fuzzy Hash: 7F21BD75F202259FDB50DF69D980AAEBBF5FB48310F108129EA05E7394EBB1D901CB90
                                                                              Function 0106D006 Relevance: .1, Instructions: 78COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4533326719.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_106d000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1a0995ee16ccd93c523e81a1cf1ce9253bf109b504215da4e5bd9fe217c26219
                                                                              • Instruction ID: 908e958e65ec1d170ff83fbf24f4b2953a7ce15491724949991692dff3d12e53
                                                                              • Opcode Fuzzy Hash: 1a0995ee16ccd93c523e81a1cf1ce9253bf109b504215da4e5bd9fe217c26219
                                                                              • Instruction Fuzzy Hash: 40318B715093C09FDB03CB64C890711BFB5AF46214F29C5DBD9888F2A3C23A980ACB62
                                                                              Function 0106D030 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4533326719.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_106d000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d7bc5d3f0ce4d526f12862c1e50ad77cc9aa041770db6e1487746b635264b7cc
                                                                              • Instruction ID: 161e00ef6fce53c9c5dd79211321f31ee7251e26dda7a638016236f21e5c4152
                                                                              • Opcode Fuzzy Hash: d7bc5d3f0ce4d526f12862c1e50ad77cc9aa041770db6e1487746b635264b7cc
                                                                              • Instruction Fuzzy Hash: 932137B1604240DFEB11DF98D9C0B26BBA9EB84314F24C5AEE9C94B242C336D447CB61
                                                                              Function 0106D118 Relevance: .1, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4533326719.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_106d000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f8d765d26e34e5c4465075662f1b3b6686e3996a2b23f98f9869d59d744da0bf
                                                                              • Instruction ID: 81048a769be93cdb9e91b95f93b0552d1edc2478fbed6d643fafbd98bbf49a8e
                                                                              • Opcode Fuzzy Hash: f8d765d26e34e5c4465075662f1b3b6686e3996a2b23f98f9869d59d744da0bf
                                                                              • Instruction Fuzzy Hash: A621FFB1604240EFDB05DF58D9C0B2ABBA9EB84318F24C5ADD8894F242C3BAD846C761
                                                                              Function 066F6E00 Relevance: .1, Instructions: 68COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a303c0f25ccc1217b171fe808dca3051759008aed6b8f7a067d28bde3ee94e3c
                                                                              • Instruction ID: ca98b3ec77b0c740996156eb2e1e41a03d83abe06fa811d993628a5e091b2a0e
                                                                              • Opcode Fuzzy Hash: a303c0f25ccc1217b171fe808dca3051759008aed6b8f7a067d28bde3ee94e3c
                                                                              • Instruction Fuzzy Hash: 5F21B131F3011A8FDF58DB69E9506AEBBB7EB84310F148529E605EB344EB30ED458B84
                                                                              Function 066F3560 Relevance: .1, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 39bab4a6877cfc8acf68f8580efa39f06eb65b32587cf3530592387c9fee2edb
                                                                              • Instruction ID: e19e89b9aa7899acb411ce8e4db0c3343cfe6f90e1c195dba3fa29fbe65168b5
                                                                              • Opcode Fuzzy Hash: 39bab4a6877cfc8acf68f8580efa39f06eb65b32587cf3530592387c9fee2edb
                                                                              • Instruction Fuzzy Hash: DD2190B1E102198ACB549B78D9416DDBBB1EB89310F144569E216FB304DA31DA41CBD0
                                                                              Function 066F40D0 Relevance: .1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ad395750bea1aa4c1e7dcbfac6bb6bfd7d08e47cfbdacb9bfdc51aba82c5d6fa
                                                                              • Instruction ID: 1c75e27626680f1d6b151ca129e4fe689922a200dacef5e9f0566f35f41cedc4
                                                                              • Opcode Fuzzy Hash: ad395750bea1aa4c1e7dcbfac6bb6bfd7d08e47cfbdacb9bfdc51aba82c5d6fa
                                                                              • Instruction Fuzzy Hash: D2118E35B241298BDF59D768C8146AF77FAEBC9220B004139D506E7344EEA5DC028BD0
                                                                              Function 066F4308 Relevance: .1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 58825901fffb64c48e55a981624196016142d3c8f8b0709f88d0885b9fb4d659
                                                                              • Instruction ID: 7b955c552609ff9532795a9a23cfc626583fca3840cc2f75c2db3ec1546bda69
                                                                              • Opcode Fuzzy Hash: 58825901fffb64c48e55a981624196016142d3c8f8b0709f88d0885b9fb4d659
                                                                              • Instruction Fuzzy Hash: 0701F136B202110FDB698679D8547AFABDBDBC9211F20882AF20EC778ADD21DD024390
                                                                              Function 066FA3EA Relevance: .1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f7951b9413153e5a5dae7413d9c9dd3a9c04eee770adf782fd85fcb440d1ddd9
                                                                              • Instruction ID: 97ad69512e02c1714069147a306e674692c2c34d099c4471cf3618bab0966e19
                                                                              • Opcode Fuzzy Hash: f7951b9413153e5a5dae7413d9c9dd3a9c04eee770adf782fd85fcb440d1ddd9
                                                                              • Instruction Fuzzy Hash: FC01D2307201618FCB25DA78D855BAAB7D6EB86710F108429F24EC7345DE11EC028791
                                                                              Function 066F315C Relevance: .1, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 37aeed277441ce2c953315ef475748508407b4051e8c2d670f36ffdc8122c1a0
                                                                              • Instruction ID: 9f099948ef47d13d2345f55ac8a506b8bb7ff8e8271475fb52b50e993661840b
                                                                              • Opcode Fuzzy Hash: 37aeed277441ce2c953315ef475748508407b4051e8c2d670f36ffdc8122c1a0
                                                                              • Instruction Fuzzy Hash: 9021BDB1D11259AFCB50DF9AD888A9EFBB4FB48310F50812AE918B7300C374A954CBE5
                                                                              Function 066F40BF Relevance: .1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2a9d1de620246ad94f4aeb69498922bb97bb7c1ee40b74fd5d56be8a6d7542dd
                                                                              • Instruction ID: 904e71fa53c7485496594d36e560fb8658ed1b65e530ae5f89360115c6283d94
                                                                              • Opcode Fuzzy Hash: 2a9d1de620246ad94f4aeb69498922bb97bb7c1ee40b74fd5d56be8a6d7542dd
                                                                              • Instruction Fuzzy Hash: FB012432B241254BDF55D778DC107EF37EAABC9210F00413AD106E7349EE608C0647E1
                                                                              Function 066F3D88 Relevance: .1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 952e4e58f07eee036559710f6100f74f27bb1222bf4ebe0710640668b1b7fe56
                                                                              • Instruction ID: 0d028f4ddb1c1838586292014308f707598078b6ca47b10b444a3271b0f80dbf
                                                                              • Opcode Fuzzy Hash: 952e4e58f07eee036559710f6100f74f27bb1222bf4ebe0710640668b1b7fe56
                                                                              • Instruction Fuzzy Hash: 6E21F2B5D102599FCB00DF99D984ADEFBB4FF48310F50812AE918B7300C374A954CBA5
                                                                              Function 066FF28F Relevance: .1, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0a57d99144a6a4e07cdeb339dfb23bb26f449f3fea58eba9c300f2abf292745c
                                                                              • Instruction ID: 1c5c189dbadf9762dea56dbeac43fc064a978714cc51b7ae1ec932f017e93ae8
                                                                              • Opcode Fuzzy Hash: 0a57d99144a6a4e07cdeb339dfb23bb26f449f3fea58eba9c300f2abf292745c
                                                                              • Instruction Fuzzy Hash: B201DB76B205524FDB69D6BCD4A47AE67D7DBC8720F204829F20EC7344DE61DC424781
                                                                              Function 0106D113 Relevance: .1, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4533326719.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_106d000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3523d50e32ebe6fb82e7b8f60e6f14a0a6f2e3b172a26e9fdf1a82be5fce78ad
                                                                              • Instruction ID: 376500cda0b78558471249cfaaca599927434b2df62aeb828ed2fb5f78f26746
                                                                              • Opcode Fuzzy Hash: 3523d50e32ebe6fb82e7b8f60e6f14a0a6f2e3b172a26e9fdf1a82be5fce78ad
                                                                              • Instruction Fuzzy Hash: 2711DD75604280DFDB06CF14D9C4B15BFB2FB84318F24C6AED8894B652C33AD44ACB51
                                                                              Function 066F4318 Relevance: .1, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e1aa80b46845da51ee50dc6c45daf8b94521eedcbf5a7a9f024b14cc5cd26c18
                                                                              • Instruction ID: e8807fcaf025f2cf5f288e88ed11a1713e7853e8626b0083027c0e764c818ae7
                                                                              • Opcode Fuzzy Hash: e1aa80b46845da51ee50dc6c45daf8b94521eedcbf5a7a9f024b14cc5cd26c18
                                                                              • Instruction Fuzzy Hash: DB01A232B201120BDB68967DD45475FB7DBDBC9610F208839E20EC7749ED61EC024780
                                                                              Function 066FF2A0 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4c3e9fbb2030a0dda0f7b443e6cc4bc960198749fefbd49f85c1220248aeecf9
                                                                              • Instruction ID: bdf45a3c0c7e1bd7b44e8dafe5dd0b1e6a900da64eaf3fa23b69ad3cda1e864e
                                                                              • Opcode Fuzzy Hash: 4c3e9fbb2030a0dda0f7b443e6cc4bc960198749fefbd49f85c1220248aeecf9
                                                                              • Instruction Fuzzy Hash: 9801F435B200120BCB68D6BCD49476E73D7D7C8620F208839F20EC7344DE61DC024381
                                                                              Function 066FA3F8 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cc05391406aba110ca1f3759e22832a8d93875a6cff7c3cbbe16d7f3e1280b4a
                                                                              • Instruction ID: 19f15c66d15746ddf426ec6e6f0b210ea235a9fcfe33d1cca79249801e3775d4
                                                                              • Opcode Fuzzy Hash: cc05391406aba110ca1f3759e22832a8d93875a6cff7c3cbbe16d7f3e1280b4a
                                                                              • Instruction Fuzzy Hash: EC014470B201258FDB64EAB8D498B5AB7D6E789710F108939F60EC7348DE25EC428795

                                                                              Non-executed Functions

                                                                              Function 066F7788 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $pq$$pq$$pq$$pq$$pq$$pq$$pq$$pq$$pq$$pq
                                                                              • API String ID: 0-3498709069
                                                                              • Opcode ID: f21d5f20df4cb8ec5cd34e06b75dc5e18acb4b7444479c6db2d113ee6ea7b607
                                                                              • Instruction ID: 0781b4cb405507790346a99f65b0048166bdf585698ce4919e2706fdca016b3e
                                                                              • Opcode Fuzzy Hash: f21d5f20df4cb8ec5cd34e06b75dc5e18acb4b7444479c6db2d113ee6ea7b607
                                                                              • Instruction Fuzzy Hash: 26123E70E1021ACFDB68DF65D894AAEBBF2BF89304F208669D505AB354DB709D45CF80
                                                                              Function 066FAA18 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $pq$$pq$$pq$$pq$$pq$$pq$$pq$$pq
                                                                              • API String ID: 0-2821355145
                                                                              • Opcode ID: 7d7106a8019b762542c1b8425304c77a1d60611c5df90f0bc8afa350a9c3d316
                                                                              • Instruction ID: 6e950381332e5545da77c14878318025b9a40ea2161cefc920b6dabf08adfaa7
                                                                              • Opcode Fuzzy Hash: 7d7106a8019b762542c1b8425304c77a1d60611c5df90f0bc8afa350a9c3d316
                                                                              • Instruction Fuzzy Hash: 1E91A270A2020ADFDF68DFA5D594BAEBBF2BF84300F208529E90997354DB749C45CB90
                                                                              Function 066F7188 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $pq$$pq$$pq$$pq$$pq$$pq
                                                                              • API String ID: 0-3947858918
                                                                              • Opcode ID: b3958ee67f7772564f172a2ea0c4dca62a1c6335e7d321bac76449f38fd8419b
                                                                              • Instruction ID: bf1268c39fd6399a921124de9dea0068d269644af08cff436b317d749cd67417
                                                                              • Opcode Fuzzy Hash: b3958ee67f7772564f172a2ea0c4dca62a1c6335e7d321bac76449f38fd8419b
                                                                              • Instruction Fuzzy Hash: E3F16170B2121ACFDB59EF65D490A9EBBB3BF84300F248568E5559B358DB71EC42CB80
                                                                              Function 066F84C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $pq$$pq$$pq$$pq
                                                                              • API String ID: 0-3887422724
                                                                              • Opcode ID: 16a12210c1d622b64dce205403c5ee3a2bd5c1279415bcdf6aaafd05632a6b27
                                                                              • Instruction ID: 81dc162b4ccf6ad679168c98628537d468868b847b0a27bc3afe9893d852bedb
                                                                              • Opcode Fuzzy Hash: 16a12210c1d622b64dce205403c5ee3a2bd5c1279415bcdf6aaafd05632a6b27
                                                                              • Instruction Fuzzy Hash: 92B13B70F20219DFDB68EFA5C59469EB7B2BF88300F248569E5159B394DB74DC82CB80
                                                                              Function 066F88D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: LRpq$LRpq$$pq$$pq
                                                                              • API String ID: 0-2697034518
                                                                              • Opcode ID: 3ea99fbd0adc507e12bd682556425c7a7b4a76816bb258b22059467fdbe4fa83
                                                                              • Instruction ID: 839a9fefd3931282b602d584397a292e9442641bbdc652431c23541d1bc57d8d
                                                                              • Opcode Fuzzy Hash: 3ea99fbd0adc507e12bd682556425c7a7b4a76816bb258b22059467fdbe4fa83
                                                                              • Instruction Fuzzy Hash: 9F51D770B202028FDB58DB29C880A6AB7F2FF85300F1486ADE5059B395DF70EC45CB91
                                                                              Function 066FADA2 Relevance: 5.2, Strings: 4, Instructions: 162COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.4540479582.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_66f0000_RegAsm.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $pq$$pq$$pq$$pq
                                                                              • API String ID: 0-3887422724
                                                                              • Opcode ID: 9b6295e4f224850b70d7115bff95cad39cbea39b565ddd49b4802f0620361a84
                                                                              • Instruction ID: 3cca556640c4335cff664fc02905ed313e769309e328f6d423ac797e5826e434
                                                                              • Opcode Fuzzy Hash: 9b6295e4f224850b70d7115bff95cad39cbea39b565ddd49b4802f0620361a84
                                                                              • Instruction Fuzzy Hash: 7C516170B21205CFDFA5DBA4D5806AEB7B2EF84310F248929E95ADB344DB31DC42CB91

                                                                              Executed Functions

                                                                              Function 00EA0E30 Relevance: 6.7, Strings: 5, Instructions: 440COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2251985346.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_ea0000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: <Q$D@$D@$D@$D@
                                                                              • API String ID: 0-3199645294
                                                                              • Opcode ID: b5c3fefd1526d909121c7e05f80d94a2ce7f653c93ab5c851d116950cce0f84a
                                                                              • Instruction ID: 140fb4a07d3a3ec246ff933529537c39ad0a35916d65f1a6368f8c0c76ab1e09
                                                                              • Opcode Fuzzy Hash: b5c3fefd1526d909121c7e05f80d94a2ce7f653c93ab5c851d116950cce0f84a
                                                                              • Instruction Fuzzy Hash: 4302C1706006068FCB15DF68D890A6EBBF6FF89300F2589A8E505AF395DB31EC45CB90
                                                                              Function 00EA1498 Relevance: 2.6, Strings: 2, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2251985346.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_ea0000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: D@$D@
                                                                              • API String ID: 0-3862852415
                                                                              • Opcode ID: 75481619d71b399535b7b4247d18ec3661728ff5aa742f97e28011540afede6b
                                                                              • Instruction ID: 931eb9f273caa87679707ad67fdff15747cd27bd607c3d62e6dce60b994d44b6
                                                                              • Opcode Fuzzy Hash: 75481619d71b399535b7b4247d18ec3661728ff5aa742f97e28011540afede6b
                                                                              • Instruction Fuzzy Hash: 7201C031B045089FC704ABB9D82579E7FAADB89301F2044A9D605EB3D1DA34ED01C795
                                                                              Function 00EA08B0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2251985346.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_ea0000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tPpq
                                                                              • API String ID: 0-2711158331
                                                                              • Opcode ID: b127eb0a8b987f7507fc334afb1c892903f05066ed7e0dff88d0b4307536feaf
                                                                              • Instruction ID: 72ace4dec6ace28b7036ff7033c248aa847f2695a716a4dcd1e8384335e21a9e
                                                                              • Opcode Fuzzy Hash: b127eb0a8b987f7507fc334afb1c892903f05066ed7e0dff88d0b4307536feaf
                                                                              • Instruction Fuzzy Hash: 112139713046118FC749EB38D55892D7BF6AFCA71532504A8E506CF372DA35DC06CB91
                                                                              Function 00EA1539 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2251985346.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_ea0000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8tq
                                                                              • API String ID: 0-396999354
                                                                              • Opcode ID: 589f9652bbb0914ff57481a467b0ad43214d86246a3189b4ba9785b2cc92c998
                                                                              • Instruction ID: 63a92fcce63b16b3c7019570f696631187df22b66bd36c68fa3cd752d46cd48d
                                                                              • Opcode Fuzzy Hash: 589f9652bbb0914ff57481a467b0ad43214d86246a3189b4ba9785b2cc92c998
                                                                              • Instruction Fuzzy Hash: 5BF027B1500B015BC312B2A4AC10758369E9789350F400EB8E115EB2E9CB18A9048BA5
                                                                              Function 00EA09B0 Relevance: .3, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2251985346.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_ea0000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 18e56f09e4a160e25a247f2c0d9862156929354682ae860b4b32cbf11b7f6e98
                                                                              • Instruction ID: c598f71112dabb7a1363ced40e71d01c7bd439a24ad32426d5c943b838278486
                                                                              • Opcode Fuzzy Hash: 18e56f09e4a160e25a247f2c0d9862156929354682ae860b4b32cbf11b7f6e98
                                                                              • Instruction Fuzzy Hash: 3FC16E74200706CFDB09DF24D884A657BA6FF89304F258868E916AF3A4DB71FD85CB90
                                                                              Function 00EA1348 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2251985346.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_ea0000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c614849c08115dc448305fd49286b32e4fa65a7552c5c08eaa6bf60eeabac5b6
                                                                              • Instruction ID: 68a67395d9d3f98cec06690adebee07781e10d54da13ce1f43db9bb3f1b1671d
                                                                              • Opcode Fuzzy Hash: c614849c08115dc448305fd49286b32e4fa65a7552c5c08eaa6bf60eeabac5b6
                                                                              • Instruction Fuzzy Hash: D701DB77700B119FC7259B65EC54D1A7BA8EFCDB60B1249D4E802DF368CA31EC058790
                                                                              Function 00EA1421 Relevance: .0, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2251985346.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_ea0000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ddcae7d991a8198106d4e4fa2af3e8c8c0726dbe37dcb545412f5b4aab5bbacd
                                                                              • Instruction ID: 4e95535e3cbb221b63399ac7f97860407efe0a4fd8718c71077eb7c4c1ef2f34
                                                                              • Opcode Fuzzy Hash: ddcae7d991a8198106d4e4fa2af3e8c8c0726dbe37dcb545412f5b4aab5bbacd
                                                                              • Instruction Fuzzy Hash: DCF0E2B27063645FD30957795C50ABB3FAEEFC6260710047AE109D7392DD788C0683E0
                                                                              Function 00EA0857 Relevance: .0, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2251985346.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_ea0000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 97de1a20d399ba659885e46c0172254336ec89486fd1ae86865ac561c8096025
                                                                              • Instruction ID: e12984540010cc11f15430b3e194ca96764145d527b885f67d6e0a0ce61a9b44
                                                                              • Opcode Fuzzy Hash: 97de1a20d399ba659885e46c0172254336ec89486fd1ae86865ac561c8096025
                                                                              • Instruction Fuzzy Hash: 49F065B1A08349AFC705DFF69C486CA7FF9EE46115B1044EAE008E7151E67099458761
                                                                              Function 00EA0868 Relevance: .0, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2251985346.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_ea0000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0882d6ff3e07c0239050d6cfd6103faa5357f51261b5c99ebfead73fd634e898
                                                                              • Instruction ID: 59e8cb76e82b0d2380d6fa223dd649a44d266b83a9c7bde57a3e528d65c5bb4d
                                                                              • Opcode Fuzzy Hash: 0882d6ff3e07c0239050d6cfd6103faa5357f51261b5c99ebfead73fd634e898
                                                                              • Instruction Fuzzy Hash: E2E09BB2604309AF8708DFF6E8494DE7FFDFB48267B004466E00DE7150EE7054844750
                                                                              Function 00EA13E0 Relevance: .0, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2251985346.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_ea0000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2489c2e0e5f8361c19f451d7ed1e016e94f12f6af92b79074e3506b558cfb684
                                                                              • Instruction ID: e4e65b61273c438a2f1e1debc8711067e0fbf0ba9afe2cb12efb01a49f49b526
                                                                              • Opcode Fuzzy Hash: 2489c2e0e5f8361c19f451d7ed1e016e94f12f6af92b79074e3506b558cfb684
                                                                              • Instruction Fuzzy Hash: E1E0C234108FC08FC709AF65ED24A103FA8A74B30AF4008E8E191AB2BAD660B844C755
                                                                              Function 00EA1489 Relevance: .0, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2251985346.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_ea0000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7f65ca99a3a17c600c424f34dc97f2724e119067c7f58558d9c1c00014e5d389
                                                                              • Instruction ID: 0f4ecc95b3ab769bcb3e0037f4dbe6c20cf3ceef0c34a03377e74ac87a5a3810
                                                                              • Opcode Fuzzy Hash: 7f65ca99a3a17c600c424f34dc97f2724e119067c7f58558d9c1c00014e5d389
                                                                              • Instruction Fuzzy Hash: 3DD0A733A0DE905FC70552F5AD1528C3F24CB07296F0448FAD544EB1D1E6048D1483D2
                                                                              Function 00EA1590 Relevance: .0, Instructions: 11COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.2251985346.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_ea0000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2c29216b788494d7f8f68c8f00068eec1460dc5f9867dc98e046db3e7e514ca2
                                                                              • Instruction ID: 3c170d3d0ff68759aed7217829ebea27666ffb8c445862bf6efdc9b2e0e0e053
                                                                              • Opcode Fuzzy Hash: 2c29216b788494d7f8f68c8f00068eec1460dc5f9867dc98e046db3e7e514ca2
                                                                              • Instruction Fuzzy Hash: 2CD012D5D4C3D24EE72757305C093146F517F5320CF5A10C6C0849A1A3E2184688C357

                                                                              Executed Functions

                                                                              Function 00B208B0 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2333671964.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_b20000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tPpq
                                                                              • API String ID: 0-2711158331
                                                                              • Opcode ID: 027844d57a29a5cf5a23ca04eeca504f86b49f73a0eafa866f23e92dc80c3bc8
                                                                              • Instruction ID: 24aafaf0807e32e771d751b5e0df260af0a1a8d0fb3149ec3059a0f733eb943f
                                                                              • Opcode Fuzzy Hash: 027844d57a29a5cf5a23ca04eeca504f86b49f73a0eafa866f23e92dc80c3bc8
                                                                              • Instruction Fuzzy Hash: 472127753046218FCB59EB38D5A8A2D7BE2EF8961172505A8E40BCF372DA35DD42CB81
                                                                              Function 00B2153A Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2333671964.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_b20000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8tq
                                                                              • API String ID: 0-396999354
                                                                              • Opcode ID: 8877583a4d58e31f8802eb7902cdeeb240efe67892b892467a88b86468b6fdbe
                                                                              • Instruction ID: 4184f4372cc6d0453838ebb5329f76d48cafa3b87293d91d427091e02e5f79d2
                                                                              • Opcode Fuzzy Hash: 8877583a4d58e31f8802eb7902cdeeb240efe67892b892467a88b86468b6fdbe
                                                                              • Instruction Fuzzy Hash: 36E092216097914FC716A7B8B5206587BB59B9A341B0089AEE8068B6AACD6C4D068B92
                                                                              Function 00B20E30 Relevance: .4, Instructions: 440COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2333671964.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_b20000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b4430ad44f29b70789428d6fa86b1324c0541b1acaba12b65aede83c5b817054
                                                                              • Instruction ID: cdf524240fb58aedfeba869707a783c2252afa7b3568740a030e806f8b38b010
                                                                              • Opcode Fuzzy Hash: b4430ad44f29b70789428d6fa86b1324c0541b1acaba12b65aede83c5b817054
                                                                              • Instruction Fuzzy Hash: ED02C6717002159FCB15DF68D880AAEBBF2FF84300B25CA69E50A9B355DB35ED42CB91
                                                                              Function 00B209B0 Relevance: .3, Instructions: 314COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2333671964.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_b20000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 07fefdaec4e9b793d121d230b665ed6758e65ef36244814812b84e283f6e3f89
                                                                              • Instruction ID: 6d039455f04e4dc8ea64d0dc7e3a5d255bbfb5819266dfbdb97639d38ab7f9b5
                                                                              • Opcode Fuzzy Hash: 07fefdaec4e9b793d121d230b665ed6758e65ef36244814812b84e283f6e3f89
                                                                              • Instruction Fuzzy Hash: E8D17034611305CFD719EF74D484A697BE2FF49300F6588A8E91A8B366DB75EC91CB80
                                                                              Function 00B21498 Relevance: .1, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2333671964.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_b20000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4d8ecf8b1f571e764dd0cf3a47b243da35cd17f32f4326535627027a3fe39530
                                                                              • Instruction ID: a6ef776eb5dcc8c3c23ad91a0908d71db9db6203a661dcedb5a456d4cab9b4aa
                                                                              • Opcode Fuzzy Hash: 4d8ecf8b1f571e764dd0cf3a47b243da35cd17f32f4326535627027a3fe39530
                                                                              • Instruction Fuzzy Hash: 52018031F041149FC714ABB8E8157AD7FB6DF8A300F1080AAE50A9B391CA399D02CB91
                                                                              Function 00B21348 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2333671964.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_b20000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2173292c1e5328332ee5f737857118360033a98dda120a47dadf05b89171ea9d
                                                                              • Instruction ID: 3ab3231038815dd696ddfc0a71c6f0406887edc861b9d1779657af5ee8abb5eb
                                                                              • Opcode Fuzzy Hash: 2173292c1e5328332ee5f737857118360033a98dda120a47dadf05b89171ea9d
                                                                              • Instruction Fuzzy Hash: 0701F773705620AFC725DB78F848D5A3BE1EB9C7603118A99E8478B315CA70CC028751
                                                                              Function 00B21421 Relevance: .0, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2333671964.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_b20000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ee5d90ebcf412c6c2be896fa973ef5dafab2a5430c06f29062ca192296e6f9b9
                                                                              • Instruction ID: 884b01be92a64fb10a7709831b7deb3209e03efe1fe67c6809c66fb74766bb19
                                                                              • Opcode Fuzzy Hash: ee5d90ebcf412c6c2be896fa973ef5dafab2a5430c06f29062ca192296e6f9b9
                                                                              • Instruction Fuzzy Hash: 8BF02EB2B0A2601FD70957785C10ABF2FEAEFC622030446AFE00AC7392DD784C0283A1
                                                                              Function 00B20868 Relevance: .0, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2333671964.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_b20000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eef4003c345385accf2619aaa5e4d5f5f8067fb7559a181a6f7b3c6d476a2a88
                                                                              • Instruction ID: 7dd187b02aa9b18027be186dc9518c8df3baf5af8e296d6597bbe85530036784
                                                                              • Opcode Fuzzy Hash: eef4003c345385accf2619aaa5e4d5f5f8067fb7559a181a6f7b3c6d476a2a88
                                                                              • Instruction Fuzzy Hash: 35E0ED76A05119BF9B04EFF9A8485DABFE9FA48262B148067E00AD2210EE7159428B90
                                                                              Function 00B20857 Relevance: .0, Instructions: 27COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2333671964.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_b20000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bee86e06d830db08b821e7ea2e8652580d3b328edd8e40cd2d07ece85ff0f391
                                                                              • Instruction ID: b587ddb582e88394b4b6a5a7aaf024705024e158ad205b55011d120921837e54
                                                                              • Opcode Fuzzy Hash: bee86e06d830db08b821e7ea2e8652580d3b328edd8e40cd2d07ece85ff0f391
                                                                              • Instruction Fuzzy Hash: 64E0ED31A08148AFCB04CFF9A8487CEBFF8EF48101F1081AEE40AD3202EA7045028B11
                                                                              Function 00B213E0 Relevance: .0, Instructions: 17COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2333671964.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_b20000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b8a0c2032822e76f77d27ae834ae60696181b9ed148c691a9d2b1a94f33c69ba
                                                                              • Instruction ID: 3ebbd428908734f37a7cbe4a3406acd35d73558507af344ab6fd3d1c809decfd
                                                                              • Opcode Fuzzy Hash: b8a0c2032822e76f77d27ae834ae60696181b9ed148c691a9d2b1a94f33c69ba
                                                                              • Instruction Fuzzy Hash: 68E08C3460A7844FD70AEF70E924B943FA09B2A202B0445EAE847CB6A7C2A84846CB01
                                                                              Function 00B21489 Relevance: .0, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2333671964.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_b20000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 76013cec62c26cb14d2f3f3ec7b55b3f20568ba5f5966ea11feb7c65eab64586
                                                                              • Instruction ID: f842b85a096ccdf16f24db15554273d669ac700b4a7b03bbcd747a1aae0ed58c
                                                                              • Opcode Fuzzy Hash: 76013cec62c26cb14d2f3f3ec7b55b3f20568ba5f5966ea11feb7c65eab64586
                                                                              • Instruction Fuzzy Hash: 4DD0A722E0DA605BD701B2B57C0A38C3FA4CA13261F0441FBE44DC71A1E6188A1583E3
                                                                              Function 00B21590 Relevance: .0, Instructions: 11COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000D.00000002.2333671964.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_13_2_b20000_newapp.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a60a71a9e2c018019059586258057e79aef0392b661663c5c7dc609512736b2c
                                                                              • Instruction ID: 73b33128fa2692d4e1d3ef33523a5ef3ae0e1f1602dd9ef395f2ed93a2f66c45
                                                                              • Opcode Fuzzy Hash: a60a71a9e2c018019059586258057e79aef0392b661663c5c7dc609512736b2c
                                                                              • Instruction Fuzzy Hash: 96C0025414FBD10FD717577058264557FB0985310535945C7D4C7CF4E3E04908098327